All Apps and Add-ons

F5 iControl data collection issues [resolved]

sbarr0
Explorer

A couple of things for people installing/configuring this app:

These are over & above the instructions that come with the app:

a) Ensure your $SPLUNK_HOME/etc/apps/xxx_all_indexes/local/indexes.conf has been deployed to the HF. The configuration screen for the Tasks will only allow you to select from a drop-down of locally configured indexes. (Or manually update $SPLUNK_HOME/etc/SYSTEM/local/indexes.conf)

b) Ensure the user on the F5 has Admin & terminal permissions

c) After you create the Server & create the Task to collect the data directly from the F5's ensure you edit the Task and re-direct it to an index other than 'main'

d) BUG & Workaround: Observed with Splunk 6.2.6 - TA was deployed to an HF and once properly collecting data into '<your index here>' you can't search for results within a date/time range, you must search using 'All time'. To correct this, on your HF (or wherever you are collecting the data) and update/create the following file:

Update file: $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/props.conf

[f5_bigip:icontrol]
DATETIME_CONFIG = current

[f5:bigip:icontrol]
DATETIME_CONFIG = current

Note: I did add the same option to all the other sourcetype stanzas as well, such as: [f5:bigip:gtm:dns:request:irule], [f5:bigip:system:systeminfo:icontrol], etc... I didn't test without them but I don't think you need them. They are all listed in the props.conf in the default directory

Going forward, all new events ingested will be searchable by time-range.

bkoehler4070
Explorer

This still affects the latest version of the F5 TA 2.4.0 as well as current should be all caps for the config for props should look like:

[f5_bigip:icontrol]
 DATETIME_CONFIG = CURRENT

 [f5:bigip:icontrol]
 DATETIME_CONFIG = CURRENT
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

thank you sbarr0 -- I'm putting an answer on here for filtering purposes, but feel free to answer yourself to get the points 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...