I have data piped to Splunk from F5 and is configured to generate WAF reports and it is being sent to Splunk.
When I do a search on "blocked request" I am not able to find any data related to it. However, if I find any data within 5mins, I click on the show source and I am able to find the information I need. In addition, it seems like the search result is showing per line from the WAF report.
I need some advice on how to enhance the search query and find the information that I need, specifically the blocked requests.
index=f5_index sourcetype=* req_status="blocked" attack_type=* | chart count(req_status) by attack_type
or
index=f5_index sourcetype=* attack_type=* req_status="blocked" | table f5_bigip_server_host, support_id, req_status, attack_type, violations, ip_client
My search query looks similar to this. There's no search results for req_status=blocked. Even for req_status=* also nothing.
I have just done a simple search. Index and sourcetype. There are alot of one liner results;
Http_class="/common/www.<Url>"
Policy_name="/common/www.<Url>"
I can also see entries where the connections coming into F5 is accepted and details like the browser and phone models that the connection is coming in.
There is just no data found for anything related to "req_status"
Hi
In that case, review your WAF setting as per the F5 Add-on +Splunk documentation
docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup
Regards,
Sajid
Without having a sample of the events is hard to tell what is the problem.
Here are some ideas:
1- Have you tried to expand the time interval?
2- Does this query return any data? If so, check if the values of req_status and attack_type are what you expect.
index=f5_index sourcetype=* req_status="blocked" attack_type=*
The chart and table commands seems fine but they will only work if the first part of the query returns results.
Hi!
Can you post some events(anonymized) and the spl you are running?