search

splunk / eventgen

Splunk Event Generator: Eventgen
Apache License 2.0
376 stars 180 forks source link

[BUG] eventgentoken.py - rated integer token #415

Open mickotronic opened 3 years ago

mickotronic commented 3 years ago

Describe the bug eventgentoken.py has a bug where, if you use replacementtype = rated and replacement = integer in the config, it incorrectly uses s.now(), instead of the hour value. Line 282: rateFactor = s.hourOfDayRate[str(s.now())] It should use what float uses: rateFactor = s.hourOfDayRate[str(now.hour)]

I made two fixes to the file and now it works, to make it more in line with how the float handles it: Before: if endInt >= startInt: replacementInt = random.randint(startInt, endInt) if self.replacementType == "rated": rateFactor = 1.0 if type(s.hourOfDayRate) == dict: try: rateFactor *= s.hourOfDayRate[str(s.now())]

After: if endInt >= startInt: replacementInt = random.randint(startInt, endInt) if self.replacementType == "rated": rateFactor = 1.0 now = s.now() if type(s.hourOfDayRate) == dict: try: rateFactor *= s.hourOfDayRate[str(now.hour)]

To Reproduce Steps to reproduce the behavior:

  1. Add an eventgen input that uses token replacementtype = rated, replacement = integer, and hourOfDayRate.
  2. Also, for that same eventgen input, use a token replacement where replacementtype = rated and replacement = float.
  3. Restart eventgen.
  4. Check eventgen logs/errors, and if data is being generated.
  5. Change the first token replacement to be a float as well.
  6. Restart eventgen.
  7. Check eventgen logs/errors, and if data is being generated.

Expected behavior Step 4: Events are generated where the tokens are replaced randomly in the int/float range, rated by the hourOfDayRate. Step 7: Same as above.

Actual behavior Step 4: Events are not generated, error in the logs, the value can't be found in the hourOfDay dict with the key: "'2020-10-30 17:19:54.819649'". That is because it should be giving it the hour, not the whole date. Step 7. Events are generated and rated as expected.

Screenshots

Sample files and eventgen.conf file Attached files

Do you run eventgen with SA-eventgen? Yes

If you are using SA-Eventgen with Splunk (please complete the following information):

Additional context Python error when using integer replacement for rated replacementtype: KeyError: '2020-10-30 17:19:54.819649' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 350, in _generator_do_work item.run(output_counter=output_counter) File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/generatorplugin.py", line 225, in run samplename=self._sample.name, File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/plugins/generator/default.py", line 76, in gen GeneratorPlugin.build_events(self, eventsDict, startTime, earliest, latest) File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/generatorplugin.py", line 42, in build_events eventsDict, earliest, latest, ignore_tokens=ignore_tokens File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/generatorplugin.py", line 272, in replace_tokens pivot_timestamp=pivot_timestamp, File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgentoken.py", line 85, in replace pivot_timestamp=pivot_timestamp, File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgentoken.py", line 289, in _getReplacement % stack TypeError: not enough arguments for format string

mickotronic commented 3 years ago

Uploading sample/config files eventgensample.perfmonmk.txt eventgenbug-eventgen.conf.txt