Re: Eventgen is not generating any data.

damiko · ‎03-05-2019

Hello dear SPlunkers. I'm trying to generate some access log data in Splunk by Eventgen but I might be doing something wrong.
1) Created "test_app" folder in splunk/etc/apps
2) Have put eventgen in test_app/default/
3) Got some access log samples from Splunk TA Apache

Please find attached screenshots below. Thanks in advance!

eddiet · ‎03-30-2020

Notwithstanding any issues with your sample and config, ensure the following 2 basic setup tasks have been done:

Enable the eventgen modular input. I'm using version 6.5.2 where is it disabled by default.
Set your app to global permissions. This is where I got stuck and having skim read the manual couple times, failed to read the final paragraph where it is mentioned.

lakshman239 · ‎03-05-2019

Can you pls check this out? https://www.splunk.com/blog/2013/07/31/an-easy-way-to-generate-sample-data.html

you need to have your sample file, eventgen.conf and optionally inputs.conf to be able to re-play samples to create events for you.

If Splunk TA Apache have samples and eventgen.conf as part of the app, if you enable your SA-eventgen app and restart your instance, it should work and generate events. [ eventgen to be used only in dev/testing and not in live]

damiko · ‎03-05-2019

I tried this steps too. No use, still getting no data but some errors like:
03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

lakshman239 · ‎03-05-2019

Is eventgen working for any other samples in your env? [ you can also use the GUI in the eventgen to help troubleshoot]

damiko · ‎03-05-2019

Nope it is not. How do I use GUI in the EvGen?

lakshman239 · ‎03-05-2019

Logon to splunk user interface, go to 'Apps' at the top and select 'Manage Apps'. Then navigate to SA-eventgen app and click 'Launch app'. This will bring the GUI and you can enter your sample OR select 'All'.

if the app is not enabled, please enable the app.

damiko · ‎03-05-2019

I tried to do it, but EvGen just opens it like a new search 😕

lakshman239 · ‎03-06-2019

Seems a new and better version of eventgen is available. Pls check and install this and re-test your scenario. The docs also appear better and all in one place now. - https://splunkbase.splunk.com/app/1924/#/details

kamlesh_vaghela · ‎03-05-2019

@damiko

Are you using the latest Eventgen ?? https://splunkbase.splunk.com/app/1924

Can you please check, SA-Eventgen as an input under Settings>Data inputs are enabled?.

see: http://splunk.github.io/eventgen/SETUP.html#Finishing%20the%20Install

damiko · ‎03-05-2019

My comments with error messages keep getting deleted o_o.

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

damiko · ‎03-05-2019

Yes, I'm using the latest EvGen and Yes Data inputs are enabled.

kamlesh_vaghela · ‎03-05-2019

@damiko

Can you please share your sample events and sample values?

damiko · ‎03-05-2019

Sure, no problem. However, where do I get sample events? Sorry, new to Splunk 🙂
https://ibb.co/X2RBdN9
https://ibb.co/ynCDcRm

kamlesh_vaghela · ‎03-05-2019

@damiko

It would be great if you gave me the first line (As a text) from apache_access_log.sample.
:)

damiko · ‎03-05-2019

I've so many error there, wow.
Here are some examples:

10.0.0.48 - damir [05/Mar/2019:16:10:17.323 +0600] "GET /en-US/splunkd/_raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=test_app&search=search+index%3D%22_internal%22+eventgen+ERROR&useTypeahead=true&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1551779967811 HTTP/1.1" 200 5502 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" - 99870ee535dcbf8f5b8c46463a93530a 70ms

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" NameError: global name 'get_time_difference' is not defined

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" raise e

03-05-2019 16:05:53.649 +0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 336, in _worker_do_work

damiko · ‎03-05-2019

Oh, ok. My bad 😄
Please check below:
There are 3 cell symbols before SRC, but they keep being deleted in a comment, not in splunk folder 🙂

SRC_IP ### ### SITE ### - ### USER ### 80 [03/May/2016:12:59:05 -0700] "GET /server-status?auto HTTP/1.1" "?auto" 200 871 "-" "### USER_AGENT ###" 146 1024 1253

kamlesh_vaghela · ‎03-05-2019

Thanks @damiko

Meanwhile can you please check any backend error in splunkd?? Just execute below search/

index="_internal" eventgen ERROR

kamlesh_vaghela · ‎03-05-2019

From the samples folder. See your screenshot screenshot-89.png .

damiko · ‎03-05-2019

Please follow the links I've added on my previous comment.

Eventgen is not generating any data.

SRC_IP ### ### SITE ### - ### USER ### 80 [03/May/2016:12:59:05 -0700] "GET /server-status?auto HTTP/1.1" "?auto" 200 871 "-" "### USER_AGENT ###" 146 1024 1253

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...