Do not receive any events from windows samples but others work and cannot find any error logs or debug messages indicating an issue

[n0mer1]

Describe the bug

System Description:

• Splunk version 9.0.0 in a docker container based on ubuntu all fresh started without anything.
• Splunk SA-Eventgen version 8.0.1 from Splunkbase installed.

Then I created a custom TA to extract some extra stuff for Windows and there I have configured the properties and put samples for eventgen:

In the samples folder in the file I have a file named winevtx_authentication.csv that I generated with the following query on another instance:

index="os_win_sec" tag="authentication"
| reverse
| table index, host, source, sourcetype, _raw, _time

In the local folder I have the following files:

• The eventgen.conf file with the content:

  [winevtx_authentication.csv]
  disabled = false
  interval=60
  outputMode = modinput
  sampletype = csv
  index = os_win_sec

• The indexes.conf to ensure the index is created to send data to:

  [os_win_sec]
  coldPath = $SPLUNK_DB/os_win_sec/colddb
  homePath = $SPLUNK_DB/os_win_sec/db
  thawedPath = $SPLUNK_DB/os_win_sec/thaweddb
  frozenTimePeriodInSecs = 2592000

• An inputs.conf file where I then define the modinput:

  [modinput_eventgen://winevtx_authentication.csv]
  disabled = 0

If I then copy everything with docker cp to the instance, set the ownership of the files to splunk and adjust all mods as it is expected in splunk, I restart the instance first. Then I check if the data inputs are there and activated and check the new eventgen dashboard. This says immediately that data is sent.

time="2022-08-11T07:00:02Z" level=info msg="Generating sample: winevtx_authentication.csv"

So I search in the given index, which was created correctly, but I don't find anything. I look at the _internal logs and find nothing that could indicate an error.

Also the metrics of eventgen say that data is sent.

time="2022-08-11T07:00:24Z" level=info msg="Volume metric sent" group=outputter metric_type=volume_sent sub_group=metric volume_bytes=4096

I then restarted the container and the host instance and tried everything again and again. The strange thing is also that exactly the same works for e.g. azure logs without any problems. I also checked the sample file and everything is valid and correct.

Now I'm pretty desperate and maybe someone here has a clue to at least find an error message or something.

Expected behavior

Data also arrives in the index if the metrics and the eventlog of eventgen say so.

Actual behavior

No data arrives nor do I see any error message

Screenshots If applicable, add screenshots to help explain your problem.

Sample files and eventgen.conf file

see above

Do you run eventgen with SA-eventgen?

Yes

If you are using SA-Eventgen with Splunk (please complete the following information):

• OS: Ubuntu
• Browser: Chrome
• Eventgen Version: 8.0.1
• Splunk Version: 9.0.0
• What other apps you have installed in Splunk etc/apps? Yes, my custome Windows TA without anythin else then described above

If you are using eventgen with pip module mode (please complete the following information):

Additional context