Solved: Re: Eventgen not running

leongchongyu · ‎05-14-2018

Hi all, I am trying to get eventgen working. I did a basic troubleshooting test on eventgen by running it from the command line, but it is reporting errors.

[splunk@sh ~]$ cd /opt/splunk/etc/apps/eventgen
[splunk@sh eventgen]$ python bin/eventgen.py -s /opt/splunk/etc/apps/eventgen/local/eventgen.conf
2018-05-14 18:35:07,265 INFO Starting eventgen
2018-05-14 18:35:12,272 INFO Retrieving eventgen configurations with ConfigParser()
2018-05-14 18:35:12,319 INFO Creating timer object for sample 'hp_print_sample.log' in app 'eventgen'
2018-05-14 18:35:12,319 INFO Starting timers
2018-05-14 18:35:12,320 ERROR Exception in sample: hp_print_sample.log
Traceback (most recent call last):
  File "bin/eventgen.py", line 47, in run
    partialInterval = self.sample.gen()
  File "/opt/splunk/etc/apps/eventgen/lib/eventgensamples.py", line 134, in gen
    self._out = Output(self)
  File "/opt/splunk/etc/apps/eventgen/lib/eventgenoutput.py", line 125, in __init__
    self._fileHandle = open(self._file, 'a')
IOError: [Errno 2] No such file or directory: '$SPLUNK_HOME/var/spool/splunk/hp_print_sample.log'

Exception in sample: hp_print_sample.log
Traceback (most recent call last):
  File "bin/eventgen.py", line 47, in run
    partialInterval = self.sample.gen()
  File "/opt/splunk/etc/apps/eventgen/lib/eventgensamples.py", line 134, in gen
    self._out = Output(self)
  File "/opt/splunk/etc/apps/eventgen/lib/eventgenoutput.py", line 125, in __init__
    self._fileHandle = open(self._file, 'a')
IOError: [Errno 2] No such file or directory: '$SPLUNK_HOME/var/spool/splunk/hp_print_sample.log'

This is my eventgen.conf file.

[hp_print_sample.log]
mode = sample 
sampletype = raw 
interval = 1
earliest = -15s
latest = now
#perDayVolume = 0.5
randomizeEvents = true
randomizeCount = 0.5
disabled = false 
hourOfDayRate = { "0": 0.1, "1": 0.1, "2": 0.1, "3": 0.1, "4": 0.2, "5": 0.1, "6": 0.2, "7": 0.3, "8": 0.7, "9": 0.9, "10": 0.7, "11": 0.9, "12": 0.9, "13": 0.9, "14": 0.8, "15": 0.7, "16": 0.8, "17": 0.7, "18": 0.7, "19": 0.5, "20": 0.4, "21": 0.2, "22": 0.1, "23": 0.1 }
dayOfWeekRate = { "0": 0.1, "1": 0.7, "2": 0.8, "3": 0.7, "4": 0.9, "5": 0.7, "6": 0.2 }

outputMode = file
splunkHost = /opt/splunk/etc/apps/eventgen/data/test.log

token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3,6}
token.0.replacementType = timestamp
token.0.replacement = %Y-%m-%d %H:%M:%S,%f

token.1.token = \d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}.\d{3,6}
token.1.replacementType = timestamp
token.1.replacement = %m-%d-%Y %H:%M:%S.%f

token.2.token = \d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}.\d{3,6}
token.2.replacementType = timestamp
token.2.replacement = %d/%b/%Y:%H:%M:%S.%f

token.3.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
token.3.replacementType = timestamp
token.3.replacement = %Y-%m-%d %H:%M:%S

token.4.token = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
token.4.replacementType = timestamp
token.4.replacement = %Y-%m-%dT%H:%M:%S

When I try to add the hp_print_sample.log file to $SPLUNK_HOME/var/spool/splunk, it automatically deletes the file when I try to add it. What's going on and what can I try to troubleshoot this?

leongchongyu · ‎05-15-2018

This problem has been solved. splunkHost should be fileName in the eventgen.conf file.

View solution in original post

leongchongyu · ‎05-15-2018

This problem has been solved. splunkHost should be fileName in the eventgen.conf file.

Eventgen not running

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...