Appendix B: Eventgen troubleshooting tips

Here are some troubleshooting tips to help you make the best use of the Eventgen data generation tool. These tips are intended to show you how to use various Eventgen features in ways that give you greater insight into your code. Dive deeper into how to use the tips suggested here by reading the Eventgen documentation on the GitHub splunk/eventgen repository.

Setting permissions

Verify that you have permissions set correctly by viewing the <host>:<managementPort>/services/configs/conf-eventgen endpoint. There, you should see every sample that you've configured and their parameters. If you don't see a sample listed, either permissions are not set correctly or eventgen.conf is not installed correctly.

Permissions apply to modular input mode.

Using the command line

Eventgen can be run either manually from the command line or as a modular input.

Running Eventgen from the command line can be useful for quickly debugging your eventgen configuration:

    python bin/ -s <sample>

This runs Eventgen using the sample configuration file and outputs the results to stdout. Use the -v (verbose) argument to output autogenerated events and -d (debug) option to output debug information.

Replay mode and timestamp extraction

You can choose to run in replay mode or sample mode to generate samples. An advantage of replay mode is that it allows you to take an export of existing data and replay it in the current time. Replay mode gives you more flexibility than sample mode, which is necessarily random. Generally, you'll find that it is usually sufficient to run in sample mode.

Replay mode is single-threaded because it depends on timestamp extraction to generate events in their correct sequence. You can encounter two undesirable effects, that you might not expect: 1) because replay mode is single-threaded, event throughput is significantly slower than in sample mode, and 2) it's possible that timestamps are not always recognized so events can be missed.

Flushing event queues

To improve performance, you can specify the number of events to queue before flushing the queue. Set the [ global ] MaxIntervalsBeforeFlush parameter to the number of events to be queued before flushing the queue.  (An event interval is the interval you defined an event to be.)

Troubleshooting CSV samples

If you are using a CSV file to specify event samples, use Microsoft Excel to produce/test a well-formed CSV file.

Performance testing

TESTDid you know you can use Eventgen to do performance testing?

To learn how to do performance testing with Eventgen, read the Performance documentation, on the dev branch.

A quick way to see if there might be performance issues is to observe queue sizes in your debug output. If your queue sizes and throughput values are stuck at zero or unusually high, it might indicate performance problems.