Documentation

Contents
Contents
Contents
Contents

Demoing uberAgent With the Event Generator for Splunk

Demonstrating uberAgent can be a bit difficult if you do not have a few dozen PCs or XenApp servers available. To simplify this, we offer an event generator that simulates a terminal server farm with 50 active servers and 25 user sessions each.

Architecture

The uberAgent event generator is based on Splunk’s event generator app. Splunk’s generator contains the logic, uberAgent’s generator contains the sample data. They are packaged as individual Splunk apps.

Both apps can be used on Windows and on Linux based Splunk installations. Single server setups and distributed deployments are fully supported.

Installation

Splunk Event Generator

If you have a distributed Splunk environment, install the event generator on one of the indexers. If you have a single Splunk server, install the event generator on that server.

  • Download the generator from Splunkbase
  • On the Splunk server navigate to Manage apps
  • Click Install app from file
  • Select the archive you downloaded earlier and click Upload
  • Restart Splunk

By default, the SA-Eventgen data input is disabled. You need to enable it by doing the following steps:

  • Click on “Settings->Data inputs” and select “SA-Eventgen”
  • Change the status to enabled
  • Restart Splunk

Known issues with Splunk SA-Eventgen version 6.3.2

In some environments, Splunk’s event generator does not start generating events. If that’s the case in your environment, please open the log file modinput_eventgen.log located in $SPLUNK_HOME/var/log/splunk.

Search for: ERROR [Eventgen] invalid literal for int() with base 10: ‘o’.

If that line exists you are affected by this error. Downgrading to version 6.2.1 from Splunkbase helps fix the error. On Windows machines, you also will be affected by the error described here: Unable to initialize modular input “modinput_eventgen”. Follow the steps to fix this error. It is less error-prone if the line described is deleted instead of commenting it out.

uberAgent Event Generator

Install the uberAgent event generator on the same server on which you installed Splunk’s event generator.

  • Download the uberAgent event generator (find out what’s new in the changelog)
  • On the Splunk server navigate to Manage apps
  • Click Install app from file
  • Select the archive you downloaded earlier and click Upload
  • Restart Splunk

That’s it. The event generator starts generating events right after Splunk has been restarted. It will continue to do so for approx. 3 hours and then stop on its own. Just what you need for a demo. To re-enable restart Splunk again.

Configuration

Enabling or Disabling the Event Generator

To enable or disable the uberAgent event generator:

  1. On the Splunk server where the uberAgent event generator app is installed navigate to Manage apps
  2. Locate the uberAgent event generator app and click on enable or disable
  3. Restart Splunk

Advanced Configuration

The uberAgent event generator app is configurable through the configuration file eventgen.conf. The default configuration should work for all Splunk environments, but can be modified if necessary. A detailed description of all possible options can be found on GitHub.