Background

Eventgen is a Splunk app designed for generating event logs. It is commonly used for testing and validating Splunk's functionalities by simulating various log events.

Following the steps guided in the book "Splunk 7 Essentials 3/2", I have created the Destinations app and configured it to search event logs generated by Eventgen at the Destinations app:

Trouble Shooting #1

After completing the steps, however, no event logs generated by Eventgen were displayed.

The issue was caused by the missing setup of the modular input. I became aware of the cause upon seeing the warning message notified in the SA-Eventgen dashboard.

So, the solution is simply to enable the modular input for SA-Eventgen like this:

#1

#2

#3

For now, I can view the event logs generated by the Eventgen in real-time:

Trouble Shooting #2

Unfortunately, there were unexpected problems. The event logs have the invalid values:

These values is contained in the destinations.samples, which forms the base format to generate events:

I don't know why the first row was written in the file. I removed it because I believe the base format should be the second row, whose tokens were linked in the eventgen.conf:

Also, I deleted the timestamp configuration:

Since it was causing Eventgen parsing errors identified in the Deployment logs panel on the Eventgen dashboard:

References

https://github.com/PacktPublishing/Splunk-7-Essentials-Third-Edition