Splunk training has awesome 'fake' data to make it look like you are drilling down into a real network's pile of logs.
In the past I heard it was a program called EventGen that the Splunk team used, but an in-house version.
Now there has been a shift and the splunk dev website lists SimData.
https://dev.splunk.com/enterprise/docs/dataapps/simdata
One needs to install Java Run time Environment (JRE)
And the SimData Jar file: They link to this:
https://dev.splunk.com/enterprise/downloads
Scroll down to the bottom to find the SimData Jar download.
The command to run SimData is java -jar simdata-<version>.jar -s <simulation_file> -c <scene_file>
https://dev.splunk.com/enterprise/docs/dataapps/simdata/runsimdatasimulation
so... we need a simulation file and a scene file.. also we need to set up HEC to get the data ingested into Splunk.
Simulation File (.simulation file extension) uses a Domain Specific Language (yeah right? like intro CS brah)
https://dev.splunk.com/enterprise/docs/dataapps/simdata/simdatareference/simdatasimfileref/
And scene file (json format)
https://dev.splunk.com/enterprise/docs/dataapps/simdata/simdatareference/simdatascenefileref/
I...
Have ...
No...
Idea ... Where to start. But thankfully, there is an example file:
Example simulation and scene files here:
https://dev.splunk.com/enterprise/examples
DON'T FORGET to setup HEC:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector
From the Splunk SimData Examples README.md file:
# Splunk SimData Examples
This project is a collection of SimData example scenes and simulation files.
Each example has its own corresponding README file.
SimData is a tool that generates event data from a simulation of a user-defined scenario. Instead of using a sample set of data that is repetitive and unrealistic, SimData allows you to generate a rich and robust set of events from real-world situations by mimicking how multiple systems work together and affect the performance of your system.
## Get started
For details about installing, configuring, and running SimData, see the [Splunk Developer Portal](https://dev.splunk.com/enterprise/docs/dataapps/simdata/).
### Requirements
* Java 8+
* Download SimData the SimData JAR file: https://dev.splunk.com/enterprise/downloads
### Example usage
This example shows how to execute the SimData CLI:
```sh
java -jar <SimData JAR file> --simulation <path to simulation file> --scene <path to scene file>
```
## Contact
If you have questions, reach out to us on [Slack](https://splunkdevplatform.slack.com) in the **#simdata** channel or email us at _devinfo@splunk.com_.
At first you read, "this project is a collection of SimData example scenes and simulation files" and you think, "awesome! Maybe there are windows event log examples, RHEL, cisco!"
Nope. There is one example set thus far. "hello".
Hello's README.md
# Hello SimData example
To run this example, run:
```sh
java -jar <SimData JAR file> --simulation hello.simulation --scene hello.json
```
### Expected output
```sh
Starting simulation
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
Thats no fun. But it looks like on this page we can start to edit the files to make a webserver example:
https://dev.splunk.com/enterprise/docs/dataapps/simdata/examplesimulation
## quick note, don't follow the README's example of running simdata, follow this:
Usage: simdata [options]
Options:
--enable-debug, --debug
Enables debug logging.
Default: false
-h, --help
Show help information
--no-rest, --no-web
Disable the rest endpoints and web server.
Default: false
-p, --port
The port to use for the REST endpoints and web server
Default: 11013
* -c, --scene
The scene file
* -s, --simulation
The simulation file
--start-time
The absolute (ex: '2017-12-25 00:00:00') or relative (ex: '-1d', '-2h',
'-3m') start time to backfill data from. Overrides the value set in the
scene file.
--validate
Only validate the simulation and scene files, do not run the simulation.
Default: false
## End note
The example link gets right to business, how to point this to our Splunk instance, input some stuff and get going.
``` break till next time ```
This is of some interest for a noob like me:
In the past I heard it was a program called EventGen that the Splunk team used, but an in-house version.
Now there has been a shift and the splunk dev website lists SimData.
https://dev.splunk.com/enterprise/docs/dataapps/simdata
One needs to install Java Run time Environment (JRE)
And the SimData Jar file: They link to this:
https://dev.splunk.com/enterprise/downloads
Scroll down to the bottom to find the SimData Jar download.
The command to run SimData is java -jar simdata-<version>.jar -s <simulation_file> -c <scene_file>
https://dev.splunk.com/enterprise/docs/dataapps/simdata/runsimdatasimulation
so... we need a simulation file and a scene file.. also we need to set up HEC to get the data ingested into Splunk.
Simulation File (.simulation file extension) uses a Domain Specific Language (yeah right? like intro CS brah)
https://dev.splunk.com/enterprise/docs/dataapps/simdata/simdatareference/simdatasimfileref/
And scene file (json format)
https://dev.splunk.com/enterprise/docs/dataapps/simdata/simdatareference/simdatascenefileref/
I...
Have ...
No...
Idea ... Where to start. But thankfully, there is an example file:
Example simulation and scene files here:
https://dev.splunk.com/enterprise/examples
DON'T FORGET to setup HEC:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector
From the Splunk SimData Examples README.md file:
# Splunk SimData Examples
This project is a collection of SimData example scenes and simulation files.
Each example has its own corresponding README file.
SimData is a tool that generates event data from a simulation of a user-defined scenario. Instead of using a sample set of data that is repetitive and unrealistic, SimData allows you to generate a rich and robust set of events from real-world situations by mimicking how multiple systems work together and affect the performance of your system.
## Get started
For details about installing, configuring, and running SimData, see the [Splunk Developer Portal](https://dev.splunk.com/enterprise/docs/dataapps/simdata/).
### Requirements
* Java 8+
* Download SimData the SimData JAR file: https://dev.splunk.com/enterprise/downloads
### Example usage
This example shows how to execute the SimData CLI:
```sh
java -jar <SimData JAR file> --simulation <path to simulation file> --scene <path to scene file>
```
## Contact
If you have questions, reach out to us on [Slack](https://splunkdevplatform.slack.com) in the **#simdata** channel or email us at _devinfo@splunk.com_.
At first you read, "this project is a collection of SimData example scenes and simulation files" and you think, "awesome! Maybe there are windows event log examples, RHEL, cisco!"
Nope. There is one example set thus far. "hello".
Hello's README.md
# Hello SimData example
To run this example, run:
```sh
java -jar <SimData JAR file> --simulation hello.simulation --scene hello.json
```
### Expected output
```sh
Starting simulation
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
"eventType"="Greeting" "text"="Hello, World!"
Thats no fun. But it looks like on this page we can start to edit the files to make a webserver example:
https://dev.splunk.com/enterprise/docs/dataapps/simdata/examplesimulation
## quick note, don't follow the README's example of running simdata, follow this:
java -jar simdata-<version>.jar -s <simulation_file> -c <scene_file>Usage: simdata [options]
Options:
--enable-debug, --debug
Enables debug logging.
Default: false
-h, --help
Show help information
--no-rest, --no-web
Disable the rest endpoints and web server.
Default: false
-p, --port
The port to use for the REST endpoints and web server
Default: 11013
* -c, --scene
The scene file
* -s, --simulation
The simulation file
--start-time
The absolute (ex: '2017-12-25 00:00:00') or relative (ex: '-1d', '-2h',
'-3m') start time to backfill data from. Overrides the value set in the
scene file.
--validate
Only validate the simulation and scene files, do not run the simulation.
Default: false
The example link gets right to business, how to point this to our Splunk instance, input some stuff and get going.
``` break till next time ```
This is of some interest for a noob like me:
Use the simulation control UI
SimData provides a web-based user interface for you to update the value of variables at runtime at
http://localhost:11013 or the port you specify using the SimData CLI. You can disable this web server by passing the --no-web flag. For more, see the SimData CLI reference.
This UI exposes controls for bots of entity types with runtime variable controls. Each entity type has a set of controls to modify the state of all bots of that type. Additionally, each bot has its own set of controls to modify the state of only that bot. The simulation control UI refreshes the state of bots every second.
No comments:
Post a Comment