TA-Eventgen-Learning is a lightweight training app for Splunk that provides realistic synthetic data sources - perfect for hands-on SPL practice, detection engineering, lab environments, and workshops.
Built on top of SA-Eventgen, it allows you to easily replay event streams and practice searches, dashboards, and detections.
🆕 Latest update: see Changelog
- 📊 Eventgen-ready: synthetic event data in various formats (CSV, JSON, XML, etc.)
- 🧩 Some sources are pre-parsed; others require learners to build their own field extractions
- 🧰 Easy-to-extend architecture for adding new data types
- 🪄 Ideal for labs, training sessions, and Splunk workshops
Each data source has its own dedicated documentation:
-
Install the Eventgen App
Download and install the SA-Eventgen App from Splunkbase. -
Enable the Eventgen modular input
- Go to:
Settings→Data Inputs→SA-Eventgen - Click “Enable” on the default modular input stanza.
(This allows Eventgen to start generating events automatically.)
- Go to:
-
Create or update the target index
- Create a new index named
eventgen_eventsin Settings → Indexes
- Create a new index named
-
Deploy TA-Eventgen-Learning
- Download the TA-Eventgen-Learning app.
- Install
TA-Eventgen-Learningthrough Splunk Web UI:
Apps→Manage Apps→Install App from File.
-
Restart Splunk
Restart your Splunk instance to apply all changes. -
Verify the installation
Run the following search to confirm that events are being generated:index=eventgen_events | stats count by sourcetype
We welcome contributions to improve TA-Eventgen-Learning.
If you have:
- 🧠 Ideas for new data sources
- 🐛 Bug reports
- 🆕 Feature requests
👉 Submit a pull request or open an issue on the GitHub repository.
This project is the aggregation of several other EventGen projects (with possibly modifications)
Logo: Planning icon created by Freepik - Flaticon
Nicolas SAGOT
This project is licensed under the Apache License 2.0. Feel free to use, modify, and distribute it as needed while adhering to the license terms.