Could you give us a little more information on the searches and data models you tried? Your question has a better chance of being answered the more context you provide.
Thanks for posting!
The first thing we noticed was that “F5 Dropdown Lookup Generator” never produced any results:
| tstats count, max(_time) as latest from datamodel=dropdown by host,all.tenant,all.facility,all.app,all.devicegroup | rename all.* AS * | outputlookup f5_dropdown_lookup.csv
“dropdown” and all of the other datamodels have zero events.
That is a result of not having the sources "bigip.objectmodel.virtual" or "bigip.objectmodel.wideip".
The only source in the f5-default index is “bigip.syslog”, so that accounts for the failing data models.
Were you able to ever figure this out? I also am running 7.1.2 and I am getting SYSLOG data from F5 but no additional data and nothing shows up in the latest v1.0 of this F5 Module.
Yea, I have the iApp setup, and the Event Collector, but how do I tell if I've received anything in from the HTTP Event Collector?
Does anyone know of any setup guides fro this F5 app for splunk, I have all the documentation in the WORLD for F5 but nothing for this app...
I have data coming in to the Index, but only from the bigip.syslog Source, no other sources.
I assigned the Analytics Profile to all Virtual Servers, but i'm not seeing any additional data, and F5 support is RTFM lol....
Well, I had this setup using the same document I referenced and it worked for me. Although I do not use the analytics iapp as the 50 or so datamodels it enabled was a big strain on our indexer layer.
Would you check your eventcollector layer logs if you see any errors w.r.t to the token that you use for f5 logs? Did you define any custom index for the logs? Is the token configured to write to all indexes that the iapp sends data to?
So I found I had to use the v3.7.2RC5 version of the F5 Analytics iApp to work in Splunk 7.1.2.
When I didn't use that version of the Analytics tool, I only received syslog events. Now i'm getting data, but i'm noticing some panels on the application portion of the Splunk module are not populating, when i look at the search queries for the panel, they say "UNDEFINED" so not sure why its doing this.
I also had to add the F5 Analytics to every Virtual Server like some one suggested, but the Splunk App still seems broken.