All Apps and Add-ons

F5 iControl data collection issues [resolved]

sbarr0
Explorer

A couple of things for people installing/configuring this app:

These are over & above the instructions that come with the app:

a) Ensure your $SPLUNK_HOME/etc/apps/xxx_all_indexes/local/indexes.conf has been deployed to the HF. The configuration screen for the Tasks will only allow you to select from a drop-down of locally configured indexes. (Or manually update $SPLUNK_HOME/etc/SYSTEM/local/indexes.conf)

b) Ensure the user on the F5 has Admin & terminal permissions

c) After you create the Server & create the Task to collect the data directly from the F5's ensure you edit the Task and re-direct it to an index other than 'main'

d) BUG & Workaround: Observed with Splunk 6.2.6 - TA was deployed to an HF and once properly collecting data into '<your index here>' you can't search for results within a date/time range, you must search using 'All time'. To correct this, on your HF (or wherever you are collecting the data) and update/create the following file:

Update file: $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/props.conf

[f5_bigip:icontrol]
DATETIME_CONFIG = current

[f5:bigip:icontrol]
DATETIME_CONFIG = current

Note: I did add the same option to all the other sourcetype stanzas as well, such as: [f5:bigip:gtm:dns:request:irule], [f5:bigip:system:systeminfo:icontrol], etc... I didn't test without them but I don't think you need them. They are all listed in the props.conf in the default directory

Going forward, all new events ingested will be searchable by time-range.

bkoehler4070
Explorer

This still affects the latest version of the F5 TA 2.4.0 as well as current should be all caps for the config for props should look like:

[f5_bigip:icontrol]
 DATETIME_CONFIG = CURRENT

 [f5:bigip:icontrol]
 DATETIME_CONFIG = CURRENT
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

thank you sbarr0 -- I'm putting an answer on here for filtering purposes, but feel free to answer yourself to get the points 🙂

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...