Describe the bug
Below stanza in eventgen.conf is stopped working since Jan 2021 in Eventgen v7.0.0. Before Jan 2021 it was working fine.
[aws_billing_detailed_planner.sample]
outputMode = splunkstream
count = -1
end = 1
earliest = -1mon
latest = -1mon
index = main
sourcetype = aws:billing
source = s3://aws-billing-detailed-line-items-with-resources-and-tags-2017-11.csv.zip
It gives an error in splunkd.log. sharing piece of error here
01-06-2021 07:48:34.401 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2021-01-06 07:48:34 eventgen ERROR MainProcess Cannot parse relative time string
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2021-01-06 07:48:34 eventgen ERROR MainProcess unsupported operand type(s) for -: 'datetime.datetime' and 'bool'
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" Traceback (most recent call last):
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/eventgen_core.py", line 259, in _worker_do_work
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" item.run()
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgentimer.py", line 84, in run
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" self.real_run()
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgentimer.py", line 170, in real_run
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" et = self.sample.earliestTime()
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" File "/opt/splunk/etc/apps/SA-Eventgen/lib/splunk_eventgen/lib/eventgensamples.py", line 270, in earliestTime
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" temptd = self.now(realnow=True) - tempearliest
01-06-2021 07:48:34.402 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" TypeError: unsupported operand type(s) for -: 'datetime.datetime' and 'bool'
We have tested various scenarios by changing machine DateTime to February and March 2021 and earliest/latest time to -31d and -2mon.
Only this error being generated for the scenario: Machine time in Jan 2021 and earliest\latest "-1mon".
To Reproduce
Steps to reproduce the behavior:
Install Splunk 8.1.1
Install Eventgen 7.0.0
Place eventgen.conf(Content added below) under $SPLUNK_HOME$/etc/apps/search/default/
Place issue-reproduce.sample(Content added below) under $SPLUNK_HOME$/etc/apps/search/samples/
Restart Splunk
Enable Eventgen modular Input
Open search and search "index=main" string in time range "All time"
Expected behavior
The event placed under issue-reproduce.sample file should be indexed in the main index.
Actual behavior
The event is not indexed. Error is being reported in the splunkd.log(log snippet mentioned above)
Screenshots
If applicable, add screenshots to help explain your problem.
Sample files and eventgen.conf file
Please attach your sample files and eventgen conf file
eventgen.conf
[global]
debug = false
verbose = false
outputMode = splunkstream
splunkHost = localhost
splunkUser = admin
splunkPass = admin
host = eventgen-hod
randomizeEvents = false
index = main
maxIntervalsBeforeFlush = 1
[issue-reproduce.sample]
outputMode = splunkstream
earliest = -1mon
latest = -1mon
index = main
sourcetype = test
source = test
issue-reproduce.sample
Test line to be indexed
Do you run eventgen with SA-eventgen?
Yes
If you are using SA-Eventgen with Splunk (please complete the following information):
OS: Centos 7.6
Browser: chrome
Eventgen Version: 7.0.0
Splunk Version: 8.1.1
What other apps you have installed in Splunk etc/apps? It reproducible without any other app installed in Splunk
Additional context
We have tried to reproduce the same scenario in Eventgen 7.2.0. We got the same error in eventgen.log
Describe the bug Below stanza in eventgen.conf is stopped working since Jan 2021 in Eventgen v7.0.0. Before Jan 2021 it was working fine.
It gives an error in splunkd.log. sharing piece of error here
We have tested various scenarios by changing machine DateTime to February and March 2021 and earliest/latest time to -31d and -2mon. Only this error being generated for the scenario: Machine time in Jan 2021 and earliest\latest "-1mon".
To Reproduce Steps to reproduce the behavior:
Expected behavior The event placed under issue-reproduce.sample file should be indexed in the main index.
Actual behavior The event is not indexed. Error is being reported in the splunkd.log(log snippet mentioned above)
Screenshots If applicable, add screenshots to help explain your problem.
Sample files and eventgen.conf file
Please attach your sample files and eventgen conf file eventgen.conf
issue-reproduce.sample
Do you run eventgen with SA-eventgen? Yes
If you are using SA-Eventgen with Splunk (please complete the following information):
Additional context We have tried to reproduce the same scenario in Eventgen 7.2.0. We got the same error in eventgen.log