Here are some troubleshooting tips to help you make the best use of the Eventgen data generation tool. These tips are intended to show you how to use various Eventgen features in ways that give you greater insight into your code. Dive deeper into how to use the tips suggested here by reading the Eventgen documentation on the GitHub splunk/eventgen repository.
Verify that you have permissions set correctly by viewing the <host><managementPort>/services/configs/eventgen endpoint. There, you should see every sample that you've configured and their parameters. If you don't see a sample listed, either permissions are not set correctly or eventgen.conf is not installed correctly.
Permissions apply to modular input mode.
Eventgen can be run either manually from the command line or as a modular input.
Running Eventgen from the command line can be useful for quickly debugging your eventgen configuration:
python bin/eventgen.py -s <sample>
This runs Eventgen using the
sample configuration file and outputs
the results to
stdout. Use the
-v (verbose) argument
to output autogenerated events and
-d (debug) option to output debug
You can choose to run in replay mode or sample mode to generate samples. An advantage of replay mode is that it allows you to take an export of existing data and replay it in the current time. Replay mode gives you more flexibility than sample mode, which is necessarily random. Generally, you'll find that it is usually sufficient to run in sample mode.
Replay mode is single-threaded because it depends on timestamp extraction to generate events in their correct sequence. You can encounter two undesirable effects, that you might not expect: 1) because replay mode is single-threaded, event throughput is significantly slower than in sample mode, and 2) it's possible that timestamps are not always recognized so events can be missed.
To improve performance, you can specify the number of events to queue before
flushing the queue. Set the
[ global ] MaxIntervalsBeforeFlush
parameter to the number of events to be queued before flushing the queue. (An
event interval is the interval you defined an event to be.)
If you are using a CSV file to specify event samples, use Microsoft Excel to produce/test a well-formed CSV file.
Did you know you can use Eventgen to do performance testing?
To learn how to do performance testing with Eventgen, read the Performance documentation, on the dev branch.
A quick way to see if there might be performance issues is to observe queue sizes in your debug output. If your queue sizes and throughput values are stuck at zero or unusually high, it might indicate performance problems.