All Apps and Add-ons

Eventgen: Why is custom application not populating data while running searches?

ramitgoyal2
Engager

Hi All,

I have created a custom app "Destinations" in the Splunk Enterprise(free-version) and I have also changed the permissions so that the application is accessible to the Eventgen add-on, which i have installed as per the below instructions:

"1. Download the ZIP file from the Eventgen public repository, http://github.com/splunk/eventgen. Click on the green Clone or download button.
2. Extract the ZIP file to the root location for your environment.(in this case i have extracted it on C:\Windows)
3. Rename the extracted folder to SA-Eventgen. In Windows, this can be done with
the Windows GUI
4. Open an administrator Command Prompt or Linux shell and execute the
following command (the slashes are important):
Windows: C:> xcopy SA-Eventgen C:\Splunk\etc\apps\SA-Eventgen /O /X /E /H /K
5. In the prompt, type the following directory command to verify that the copy
works properly and the contents are in the folder:
Windows: C:> dir C:\Splunk\etc\apps\SA-Eventgen
6. Restart Splunk."

Till here everything is working fine.

"7. After logging in, you will now see the Eventgen app in the Splunk
Enterprise landing page(which is not visible, hence I have changed the properties in Manage Apps and set it to Visible). Go to the Manage Apps page and confirm that the SA-EventGen
application is installed."

Configuring Eventgen

"Proceed by first downloading the exercise materials that will be
used in this book. Open an administrator Command Prompt and make sure you are in
the root of the Windows machine or Linux user shell. Download the ZIP file and extract
it in your computer using https://github.com/PacktPublishing/Splunk-7-Essentials-Third-Edition.

Follow these instructions to proceed:
1. Extract the project ZIP file into your local machine. Open an administrator
console and use the change directory command to set where you extracted the
file.
2. Create a new samples directory in the Destinations Splunk app. The path of this
new directory will be $SPLUNK_HOME/etc/apps/destinations/samples:
Windows: C:> mkdir C:\Splunk\etc\apps\destinations\samples
3. Copy all the *.sample files from /labs/chapter01/eventgen of the extracted project directory into the newly created samples directory. Windows users can also copy and paste using a GUI:
Windows: copy C:\Windows\Splunk-7-Essentials-Third-Edition-master\Chapter01\eventgen*.sample C:\Splunk\etc\apps\destinations\samples
4. Now, copy the eventgen.conf into the $SPLUNK_HOME/etc/apps/destinations/localdirectory. Windows users can also copy and paste using the GUI if you prefer:
Windows: C:> copy C:\Windows\Splunk-7-Essentials-Third-Edition-master\Chapter01\eventgen\eventgen.conf C:\Splunk\etc\apps\destinations\local
5. Grant the SYSTEM Windows account full access permissions to the eventgen.conf
file.
C:> icacls C:\Splunk\etc\apps\destinations\local\eventgen.conf/ grant SYSTEM:F
A successful output of this command will look like this:
processed file: C:\Splunk\etc\apps\destinations\local\eventgen.conf
Successfully processed 1 files; Failed processing 0 files
6. Restart Splunk."

Till here, everything is working fine as expected.

Viewing the Destinations app
"Next we will see our Destinations app in action! Remember that we have configured it
to draw events from a prototype web company. That is what we did when we set it up
to work with Eventgen. Now, let's look at some of our data:
1. After a successful restart, log back in to Splunk and proceed to your new
Destinations app:
2. In the Search field, type this search query and select Enter:
SPL> index=main
Examine the event data that your new app is enabling to come into Splunk. You will see a lot of references to browsers, systems, and so forth, the kinds of information that
make a web-based e-commerce company run.
Try changing the time range to Real-time (5 minute window) to see the data flow in
before your eyes:"

Now, here is the problem as I am not getting any search results when searching for index=main. There is no data available, not even after changing the time range to Real-time(5 minute window) to see the data flow.

And hence I am not able to proceed further with the "Dashboard creation" and all the other things that are coming next in the further modules as stated.

Kindly help in resolving the issue and let me know what i am not getting the data generated from the Eventgen app

Please reach out to me on my email id: ramitgoyal.edu@yahoo.com with the solutions.

Thanks
Ramit Goyal

4stringdave
New Member

Did you create the local folder yourself or is that something that was supposed to be automatically created? It wasn't made clear in the book. I created the full directory after apps and place the eventgen file there but it's not showing up in the local inputs directories under data inputs

0 Karma

jeremytwaite
Engager

Good Afternoon Ramit, I ran into a similar issue with the same book and app. I spent a couple of hours going through permissions, uninstalling and reinstalling the apps, and it ended up being a simple fix, Data Inputs was not enabled for the SA-Eventgen app. To enable Data Inputs go to Settings -> Data Inputs (Under the Data Heading) -> click SA-Eventgen (Under Local Inputs heading). Under Status make sure it is enable . If it is not Click Enabled and within a couple of seconds I was seeing data in the main index of the Destinations app. Hope this helps. -J

donmccall
Engager

I am having the same problem. However, SA-Eventgen does not show up under my Local Inputs heading.

I went into Apps>SA-Eventgen>Permissions and changed the "Sharing for config file-only objects" to All apps and this seemed to correct the problem as the Index=main search generated data (not sure if it was the right data). However, going to the very next search in the book, index=main /bookings/confirmation earliest=-24h@h | timechart count span=15m did not return any results.

I feel like there is something wrong with the loaded samples but I did it exactly like the original poster.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...