All Apps and Add-ons

F5 iControl data collection issues [resolved]

sbarr0
Explorer

A couple of things for people installing/configuring this app:

These are over & above the instructions that come with the app:

a) Ensure your $SPLUNK_HOME/etc/apps/xxx_all_indexes/local/indexes.conf has been deployed to the HF. The configuration screen for the Tasks will only allow you to select from a drop-down of locally configured indexes. (Or manually update $SPLUNK_HOME/etc/SYSTEM/local/indexes.conf)

b) Ensure the user on the F5 has Admin & terminal permissions

c) After you create the Server & create the Task to collect the data directly from the F5's ensure you edit the Task and re-direct it to an index other than 'main'

d) BUG & Workaround: Observed with Splunk 6.2.6 - TA was deployed to an HF and once properly collecting data into '<your index here>' you can't search for results within a date/time range, you must search using 'All time'. To correct this, on your HF (or wherever you are collecting the data) and update/create the following file:

Update file: $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/props.conf

[f5_bigip:icontrol]
DATETIME_CONFIG = current

[f5:bigip:icontrol]
DATETIME_CONFIG = current

Note: I did add the same option to all the other sourcetype stanzas as well, such as: [f5:bigip:gtm:dns:request:irule], [f5:bigip:system:systeminfo:icontrol], etc... I didn't test without them but I don't think you need them. They are all listed in the props.conf in the default directory

Going forward, all new events ingested will be searchable by time-range.

bkoehler4070
Explorer

This still affects the latest version of the F5 TA 2.4.0 as well as current should be all caps for the config for props should look like:

[f5_bigip:icontrol]
 DATETIME_CONFIG = CURRENT

 [f5:bigip:icontrol]
 DATETIME_CONFIG = CURRENT
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

thank you sbarr0 -- I'm putting an answer on here for filtering purposes, but feel free to answer yourself to get the points 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...