All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

F5 WAF logs: Why can't I search on "blocked request"?

skyred5
Engager
‎05-09-2023 10:45 PM

I have data piped to Splunk from F5 and is configured to generate WAF reports and it is being sent to Splunk. 

When I do a search on "blocked request" I am not able to find any data related to it. However, if I find any data within 5mins, I click on the show source and I am able to find the information I need. In addition, it seems like the search result is showing per line from the WAF report. 

I need some advice on how to enhance the search query and find the information that I need, specifically the blocked requests. 

Labels (1)
Labels
0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 01:35 AM

index=f5_index sourcetype=* req_status="blocked" attack_type=* | chart count(req_status) by attack_type

or
index=f5_index sourcetype=* attack_type=* req_status="blocked" | table f5_bigip_server_host, support_id, req_status, attack_type, violations, ip_client

0 Karma
Reply

skyred5
Engager
‎05-15-2023 02:23 AM

My search query looks similar to this. There's no search results for req_status=blocked. Even for req_status=* also nothing. 

 

I have just done a simple search. Index and sourcetype. There are alot of one liner results;

 

Http_class="/common/www.<Url>"

Policy_name="/common/www.<Url>"

I can also see entries where the connections coming into F5 is accepted and details like the browser and phone models that the connection is coming in. 

There is just no data found for anything related to "req_status"

0 Karma
Reply

sajidalisajid
New Member
‎05-15-2023 02:28 AM

Hi

In that case, review your WAF setting as per the F5 Add-on +Splunk documentation

Configure F5 Logging Profiles for ASM

docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup 

 

Regards,

Sajid

0 Karma
Reply

glc_slash_it
Path Finder
‎05-15-2023 02:06 AM

Without having a sample of the events is hard to tell what is the problem.

Here are some ideas:

1- Have you tried to expand the time interval?

2- Does this query return any data? If so, check if the values of req_status and attack_type are what you expect. 

index=f5_index sourcetype=* req_status="blocked" attack_type=*

The chart and table commands seems fine but they will only work if the first part of the query returns results.

0 Karma
Reply

glc_slash_it
Path Finder
‎05-09-2023 11:14 PM

Hi!

Can you post some events(anonymized) and the spl you are running?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...