eventgen is not working ?

vikas_gopal · ‎10-27-2018

Hi Experts,

I tried hard to get this worked saw many posts and questions asked by many people . It seems I am doing something wrong . Here is what I am doing

1) Splunk version 7.2.0, Eventgen Version 6.3.0 latest
2) Download and installed Eventgen app
3) Create new app called test_app and create 3 folders in it

default
samples
metadata

4) Under Default folder I have created eventgen.conf file

[test_data\.txt]
mode = replay
timeMultiple = 2
backfill = -60m
backfillSearch = index=main source=eventgen

outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = changeme

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

5) under samples folder I have created my sample text file
test_data.txt

2018-10-25 11:12:13,567 transType=ReplaceMe transID=000000 transGUID=0A0B0C userName=bob city="City" state=State zip=00000 value=0

6) My metadata folder hold a file called default.meta

[eventgen]
access = read : [ * ], write : [ admin ]
export = system

Now after above all steps I checked in search/eventgen app their is not data even I checked it from past 7 days . I am using below simple query

index=main source=eventgen

Please help me to understand what I am missing here , is their any settings that needs to enable here .

Regards
VG

kamlesh_vaghela · ‎10-28-2018

@vikas_gopal

Can you please check data input is enabled or not?

Go to: Settings->Data inputs » SA-Eventgen

jkat54 · ‎10-28-2018

Anything in index=_internal log_level=error OR log_level=warn*

eventgen is not working ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!