Did you try that?

I reinstalled the iApp template again, and still not getting any additional data, when I enable SYSLOG events all I receive in the Index are these events. Working w/ F5 now, but as always it seems one vendor is saying its another vendors problem. LOL.....

I've applied the F5 Analytics iApp to all Virtual Servers, but none of this data is getting in. Has anyone set this up recently? Was anyone required to setup iApp Rules inside the Template on F5 to get it to work? I'm really having no luck, and F5 just states the copy-pasta response of "RTFM the F5 Analytics setup PDF" I'm hoping to get them on the phone today but its been slow coming, so any help is much appreciated, thanks!

From my understanding the v3.7.1 is the only one that supports 13.0+ so not sure I can use a older version.

Update: I had to use v3.7.2RC5 which is in the same package as 3.7.1, also had to setup virutal servers for analytics for all my VS's but i'm still missing some data from the panels I don't know if the splunk panels are just broken as they show "Undefined".

The first thing we noticed was that “F5 Dropdown Lookup Generator” never produced any results:

| tstats count, max(_time) as latest from datamodel=dropdown by host,all.tenant,all.facility,all.app,all.devicegroup
| rename all.* AS *
| outputlookup f5_dropdown_lookup.csv

“dropdown” and all of the other datamodels have zero events.

That is a result of not having the sources "bigip.objectmodel.virtual" or "bigip.objectmodel.wideip".

The only source in the f5-default index is “bigip.syslog”, so that accounts for the failing data models.

@lycollicott ,

Were you able to ever figure this out? I also am running 7.1.2 and I am getting SYSLOG data from F5 but no additional data and nothing shows up in the latest v1.0 of this F5 Module.

No. We eventually gave up on it.

Did you set up logging on the F5 using the iapp and http event collector? Ref: https://www.f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Yea, I have the iApp setup, and the Event Collector, but how do I tell if I've received anything in from the HTTP Event Collector?

Does anyone know of any setup guides fro this F5 app for splunk, I have all the documentation in the WORLD for F5 but nothing for this app...

I have data coming in to the Index, but only from the bigip.syslog Source, no other sources.

I assigned the Analytics Profile to all Virtual Servers, but i'm not seeing any additional data, and F5 support is RTFM lol....

Well, I had this setup using the same document I referenced and it worked for me. Although I do not use the analytics iapp as the 50 or so datamodels it enabled was a big strain on our indexer layer.

Would you check your eventcollector layer logs if you see any errors w.r.t to the token that you use for f5 logs? Did you define any custom index for the logs? Is the token configured to write to all indexes that the iapp sends data to?

So I found I had to use the v3.7.2RC5 version of the F5 Analytics iApp to work in Splunk 7.1.2.

When I didn't use that version of the Analytics tool, I only received syslog events. Now i'm getting data, but i'm noticing some panels on the application portion of the Splunk module are not populating, when i look at the search queries for the panel, they say "UNDEFINED" so not sure why its doing this.

I also had to add the F5 Analytics to every Virtual Server like some one suggested, but the Splunk App still seems broken.