uberAgent

Demoing uberAgent With the Event Generator for Splunk

Demonstrating uberAgent can be a bit difficult if you do not have a few dozen machines with live users available. To simplify demos, we offer an event generator that simulates an active environment with various hosts and users.

Architecture

Starting with uberAgent version 6, the Splunk event generator dependency was removed and uberAgent event generator is a single Splunk app. When Splunk is started, a .NET program generates sample data. By default sample data for two hours is generated. If you want to generate additional sample data, you can either restart the Splunk service after 2 hours, or modify the uAEventGen.conf.json file (see section "Advanced configuration").

The Splunk app can be used on Windows, Linux, and on macOS-based Splunk installations. Single server setups and distributed deployments are fully supported. The standard installation sends the data to a local Splunk instance using the TCP port 19500.

Installation

.NET 7

As of uberAgent version 7.1, .NET 7.0 is a prerequisite that must be installed on the same server where Splunk is installed. In the case of a distributed environment, .NET 7 must be installed on the same Splunk indexers where you want to install the uberAgent event generator Splunk app.

You can download .NET 7.0 here.

uberAgent Event Generator

Install the uberAgent event generator on one of the indexers. If you have a single Splunk server, install the event generator on that server.

  • Download the uberAgent event generator (find out what’s new in the changelog)
  • On the Splunk server navigate to Manage apps
  • Click Install app from file
  • Select the archive you downloaded earlier and click Upload
  • Restart Splunk

That’s it. The event generator starts generating events right after Splunk has been restarted. It will continue to do so for approx. 2 hours and then stop on its own. Just what you need for a demo. To re-enable restart Splunk again.

Configuration

Enabling or Disabling the Event Generator

To enable or disable the uberAgent event generator:

  1. On the Splunk server where the uberAgent event generator app is installed navigate to Manage apps
  2. Locate the uberAgent event generator app and click on enable or disable
  3. Restart Splunk

Advanced Configuration

The default configuration should work for a single instance Splunk environment. If you have a distributed Splunk environment or you want to generate different generated sample data, you can modify the configuration file uAEventGen.conf.json which is located %Splunkhome%/etc/apps/uberAgent_eventgenerator/bin/uAEventGenBinaries/your platform. On a Linux system, for example, this would be: /opt/splunk/etc/apps/uberAgent_eventgenerator/bin/uAEventGenBinaries/Linux The file contains full documentation of all possible configuration options.

Running Event Generator on macOS ARM

The Eventgen binaries are currently not signed with any certificate. MacOS on an ARM CPU requires a valid certificate otherwise the executable is terminated/killed directly after process startup. In order to start the event generator on a macOS run the following command:

codesign -s "-" /opt/splunk/etc/apps/uberAgent_eventgenerator/bin/uAEventGenBinaries/macOS/uAEventGen

The command adds an ad-hoc certificate to the executed binary.

Demoing uberAgent With the Event Generator for Splunk