Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set up monitoring of F5 health checks in Splunk?

molinas
New Member
‎06-06-2017 12:01 PM

Hello,

I'm not too familiar with monitoring the F5 syslogs but I'm hoping someone can help with this.

We have multiple web servers running multiple IIS sites and they are all pooled on an F5. I know that there are health created for each pool to monitor if a particular web server in the pool has an issue.

Can we setup up monitoring of those health checks in Splunk so we can setup alerts if a health check for a specific web server fails instead of having to try to check each server for the issue when our site checks fail?

Thanks

Labels (1)
Labels
0 Karma
Reply

jsremba
New Member
‎05-26-2020 12:09 PM

This is an old post, but an easy one to setup. We have our F5 LTM logs going to Splunk so we can monitor when the F5 marks a member of a pool up or down.

  1. The first thing you need to do is setup a UDP (or TCP, depending on how your network team wants to send F5 logs to your Splunk server) listen port on your Splunk indexer server in inputs.conf Mine looks like this (be sure the index you set has been created) [udp://4321] connection_host = ip sourcetype = ltm_log source = ltm index = f5
  2. Next, have your network admin config the F5 to forward the LTM logs to your Splunk indexer hostname (or IP) and port you configured above
  3. If everything works, you should see F5 logs similar to the following mcpd[5933]: 01070727:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status up. mcpd[5933]: 01070638:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status down. Where Pool_A is the F5 pool name, Server1:80 is the member server name/ip and port, and monitor status shows whether the F5 disabled (down) or enabled (up) the member in the pool based on it's availability.
  4. From here, you can create an alert when the status changes.

Finally, there are some F5 apps on Splunkbase that you can play around with as well.

0 Karma
Reply

kairobin
Path Finder
‎10-25-2018 04:45 AM

health checks are more searches mainly to check up on the Splunk installation itself.
To look for maintenance and service checkup. And to troubleshoot the splunk design.

And a app and search can be used to check IIS logs.

0 Karma
Reply

kairobin
Path Finder
‎10-25-2018 04:43 AM

What is a F5?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...