All Apps and Add-ons

F5 iControl data collection issues [resolved]

sbarr0
Explorer

A couple of things for people installing/configuring this app:

These are over & above the instructions that come with the app:

a) Ensure your $SPLUNK_HOME/etc/apps/xxx_all_indexes/local/indexes.conf has been deployed to the HF. The configuration screen for the Tasks will only allow you to select from a drop-down of locally configured indexes. (Or manually update $SPLUNK_HOME/etc/SYSTEM/local/indexes.conf)

b) Ensure the user on the F5 has Admin & terminal permissions

c) After you create the Server & create the Task to collect the data directly from the F5's ensure you edit the Task and re-direct it to an index other than 'main'

d) BUG & Workaround: Observed with Splunk 6.2.6 - TA was deployed to an HF and once properly collecting data into '<your index here>' you can't search for results within a date/time range, you must search using 'All time'. To correct this, on your HF (or wherever you are collecting the data) and update/create the following file:

Update file: $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/props.conf

[f5_bigip:icontrol]
DATETIME_CONFIG = current

[f5:bigip:icontrol]
DATETIME_CONFIG = current

Note: I did add the same option to all the other sourcetype stanzas as well, such as: [f5:bigip:gtm:dns:request:irule], [f5:bigip:system:systeminfo:icontrol], etc... I didn't test without them but I don't think you need them. They are all listed in the props.conf in the default directory

Going forward, all new events ingested will be searchable by time-range.

bkoehler4070
Explorer

This still affects the latest version of the F5 TA 2.4.0 as well as current should be all caps for the config for props should look like:

[f5_bigip:icontrol]
 DATETIME_CONFIG = CURRENT

 [f5:bigip:icontrol]
 DATETIME_CONFIG = CURRENT
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

thank you sbarr0 -- I'm putting an answer on here for filtering purposes, but feel free to answer yourself to get the points 🙂

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...