All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splitting data into different sourcetypes

marka3721
Loves-to-Learn
‎07-18-2024 03:27 PM

Created the inputs in the local folder of the apps to use UDP on the heavy forwarder, set the sourcetype to f5:bigip:syslog, but the app is not splitting the data into multiple sourcetypes like it says it is supposed to. Can someone let me know what can be done to get this to work.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2024 10:50 PM

Hi @marka3721 ,

are you directly receiving f5 logs or is there an intermediate log collector?

if there's an intermediate log collector, that probably modifies the log format, search in app's props.conf and transforms.conf the regexed that apply the sourcetype override and check if your logs match these regexes.

if not, open a case to Splunk Support because this app is Splunk supported.

Ciao.

Giuseppe

0 Karma
Reply

marka3721
Loves-to-Learn
‎07-19-2024 06:59 AM

They are coming into the HF through syslog UDP port.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-27-2024 01:33 PM

1. And you have the add-on installed on the HF?

2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-20-2024 01:43 AM

Hi @marka3721 ,

in this case, check the regexes used in transformations:

take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1

^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)

if it captures the correct extension of the sourcetype it's correct, otherwise, modify it to adapt it to your different log format.

Only one final question: what's the sourcetype of your logs?

it should be fortigate_log or fgt_log, otherwise transformations aren't taken in consideration.

Ciao.

Giuseppe

0 Karma
Reply

marka3721
Loves-to-Learn
‎07-23-2024 11:01 AM

We have it set to f5:bigip:syslog

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-23-2024 11:25 PM

Hi @marka3721 ,

You are right! sorry I confused f5 with fortinet!
Anyway, take the transformation you find in the add-on transforms.conf and try it out.

the transformations to search and verify in transforms.conf are: f5_bigip-icontrol-locallb, f5_bigip-icontrol-globallb, f5_bigip-icontrol-networking, f5_bigip-icontrol-management, f5_bigip-icontrol-system-systeminfo, f5_bigip-icontrol-system-statistics, f5_bigip-icontrol-system-disk, f5_bigip-icontrol-management-device, f5_bigip-icontrol-networking-interfaces, f5_bigip-icontrol-networking-adminip, f5_bigip-icontrol-locallb-pool, f5_bigip-icontrol-management-usermanagement.

check if those regexes match your data or you need to modify them to adapt to your logs.

If you have to modify them, remember to copy the thansforms.conf file in the local folder before modifying it.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...