Splunk Eventgen Troubleshooting

Eventgen is an amazing tool for Splunk users to generate logs for testing and for detection use cases creation, but it can break easily if a wrong configuration is provided in eventgen.conf file as per the below error that was caused by a missing square bracket in the configuration file.

Log file location:

tail -f /opt/splunk/var/log/splunk/modinput_eventgen.log

After any change in eventgen.conf you don't need to restart Splunk service, you can only reload add-ons using:

https://splunk_sh:8000/en-US/debug/refresh

So to avoid breaking log generation it is a good practice to add one change at a time and then reload the service and see if everything is still working.

Error:

2023-05-26 20:18:29,274 DEBUG [Eventgen] Initialized ModularInput Logger
2023-05-26 20:18:29,274 DEBUG [Eventgen] Setting up SA-Eventgen Modular Input
2023-05-26 20:18:46,460 DEBUG [Eventgen] Initialized ModularInput Logger
2023-05-26 20:18:46,461 DEBUG [Eventgen] Setting up SA-Eventgen Modular Input
2023-05-26 20:18:46,548 INFO [Eventgen] Initialized streaming
2023-05-26 20:18:46,548 INFO [Eventgen] Input Config is: {'server_host': 'splunkes', 'server_uri': 'https://127.0.0.1:8089', 'session_key': '0baJcnezR7', 'checkpoint_dir': '/opt/splunk/var/lib/splunk/modinputs/modinput_eventgen', 'configuration': "{'modinput_eventgen://default': {'name': 'modinput_eventgen://default', 'disabled': 'false', 'host': '$decideOnStartup', 'index': 'default', 'python.version': 'python3', 'verbosity': '40'}}"}
2023-05-26 20:18:46,549 DEBUG [Eventgen] Creating default args for modinput
2023-05-26 20:18:46,550 INFO [Eventgen] Prepared Config
2023-05-26 20:18:46,550 INFO [Eventgen] Eventgen object generated
2023-05-26 20:18:46,551 INFO [Eventgen] Config object generated
2023-05-26 20:18:46,552 INFO [Eventgen] Config made Splunk Embedded
2023-05-26 20:18:47,664 ERROR [Eventgen] unterminated character set at position 10
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py", line 142, in run
eventgen.config.parse()
File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgenconfig.py", line 462, in parse
if stanza != stanza_item and re.match(stanza, stanza_item):
File "/opt/splunk/lib/python3.7/re.py", line 175, in match
return _compile(pattern, flags).match(string)
File "/opt/splunk/lib/python3.7/re.py", line 288, in _compile
p = sre_compile.compile(pattern, flags)
File "/opt/splunk/lib/python3.7/sre_compile.py", line 764, in compile
p = sre_parse.parse(p, flags)
File "/opt/splunk/lib/python3.7/sre_parse.py", line 924, in parse
p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0)
File "/opt/splunk/lib/python3.7/sre_parse.py", line 420, in _parse_sub
not nested and not items))
File "/opt/splunk/lib/python3.7/sre_parse.py", line 526, in _parse
source.tell() - here)
re.error: unterminated character set at position 10

Splunk Eventgen Troubleshooting

Subscribe