topic Re: Splunk for F5 Networks in Splunk Search

Splunk for F5 Networks

bowzom — Fri, 11 Apr 2014 10:10:28 GMT

Hi all,

I've installed Splunk for F5 Networks application to make some tests on it.
I'm using 11.5 TMOS version and there's something wrong on the regex it uses.

I made some changes on it to match informations needed but it still doesn't work, could you confirm me that it's into /opt/splunk/etc/apps/SplunkforF5Networks/default/transforms.conf every transformations are done ?

Here is the newest regex which include old and new format of syslog events :
/]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+).\s?[?\s?(?:\S+)?:?\s?(?:\S+)?\s?]?\s+?[\swas\s(\S+)\sfor\s(\S+)/

Thanks in advance for your response 😉

Re: Splunk for F5 Networks

dmaislin_splunk — Fri, 11 Apr 2014 11:27:01 GMT

Can you elaborate on the sourcetypes you see within the search part of the F5 app? Looking at the transforms I see that it is doing sourcetype rewriting. Is this app installed on the indexing tier as well, otherwise it is probably not rewriting the sourcetype at index time.

[f5-syslog]
DEST_KEY = MetaData:Sourcetype
REGEX = (01070727:5|01070638:5)
FORMAT = sourcetype::F5:LTM:Syslog

Re: Splunk for F5 Networks

bowzom — Fri, 11 Apr 2014 12:08:28 GMT

Thanks for your response.

My problem is not on f5-syslog event but on f5-syslog-eventcode, which is just below the one you saw.

[f5-syslog-eventcode]

REGEX = /]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+).\s[\s(?:\S+):\s(?:\S+)\s]\s+[\swas\s(\S+)\sfor\s(\S+)/
FORMAT = event_code::$1 ltm_pool::$2 ltm_member::$3 ltm_monitor_status::$4 ltm_prevstatus::$5 ltm_prevstatus_time::$6