[BUG] What outputMode really means ?

[rendi7936]

Describe the bug I use EventGen in Splunk to generate a sample log. I use same stanza name ( which refer to sample log name ) but using different outputMode.

I get the same sample log result after using different outputMode. Question that i want to ask is what the difference of outputMode ?

Do you run eventgen with SA-eventgen? Yes

If you are using SA-Eventgen with Splunk (please complete the following information):

• OS: CentOS Linux 7 (Core) x86_64
• Browser : Google Chrome
• Eventgen Version : 7.0.0
• Splunk Version : 8.0.0
• Deployment : In Docker but not using Splunk Original Docker Image, i use centos-systemd image

[li-wu]

outputMode = modinput | s2s | file | splunkstream | stdout | devnull | spool | httpevent | syslogout | tcpout | udpout | metric_httpevent

outputMode means different destination for the generated events. For example, if you are using SA-Eventgen app, the default value for outputMode is modinput. If you want to output the generated events via HEC endpoint you should use httpevent when you are using Eventgen as pip module. Hope it helps.

[rblake-splunk]

Does this mean that some output modes are not available using the SA-Eventgen app, and some are only available using the pip module?

[li-wu]

Yes, the default outputMode for SA-Eventgen app is modinput and change not be changed. If you are using Eventgen as pip module, you can use other outputModes.

[rblake-splunk]

File output seems to work with the app.

[li-wu]

Yes, it might work. But the app is designed to ingest data into Splunk using modinput. If you want to generate data into file, using pip module might be more suitable.

[rblake-splunk]

It would be great if this was documented - I spent ages spinning my wheels trying to get syslogout working using the app.