Unable to configure iRules in F5 as per the steps given in the Splunk docs:
http://docs.splunk.com/Documentation/AddOns/latest/F5BIGIP/Setup#Configure_iRules_for_GTM
Error Message:
01070151:3: Rule [/Common/Splunk_DNS_REQUEST] error: /Common/Splunk_DNS_REQUEST:7: error: [undefined procedure: whereami][whereami]
/Common/Splunk_DNS_REQUEST:9: error: [undefined procedure: whoami][whoami]
/Common/Splunk_DNS_REQUEST:10: error: [undefined procedure: wideip][wideip name]
I know this is an old thread, but wanted to provide some details as I ran into the same issue.
The Splunk docs provides separate iRules for DNS request logging and DNS response logging.
DNS request logging is configured in DNS > GSLB > iRules. They incorrectly state that you can apply this rule to your Listeners. You can only apply a GSLB iRule to wide IPs.
DNS response logging is configured in DNS > Delivery > iRules. I believe some older versions might list them in Local Traffic > iRules. They incorrectly state you can apply the rule to wide IPs. You can only apply a LTM/Delivery iRule to Listeners.
While the logging does work assuming you apply the rules to the correct objects, the problem I had is ensuring that the request logging rule gets applied to all wide IPs. I want to do logging on the Listeners so I can set it and forget it. Rules configured within DNS > Delivery > iRules support both DNS_REQUEST and DNS_RESPONSE events, but they don't support the whereami, whoami, whereis, and wideip name commands. I simply remove the references to those commands and joined both the request and response rules into a single rule and applied it to my Listeners. I copied an example below.
when DNS_REQUEST {
set client_addr [IP::client_addr]
set dns_server_addr [IP::local_addr]
set question_name [DNS::question name]
set question_class [DNS::question class]
set question_type [DNS::question type]
set dns_len [DNS::len]
set hsl [HSL::open -proto UDP -pool Pool-syslog]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,question_class=$question_class,question_type=$question_type,dns_len=$dns_len"
}
when DNS_RESPONSE {
set client_addr [IP::client_addr]
set dns_server_addr [IP::local_addr]
set question_name [DNS::question name]
set is_wideip [DNS::is_wideip [DNS::question name]]
set answer [join [DNS::answer] ;]
set hsl [HSL::open -proto UDP -pool Pool-syslog]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer\""
}
according to f5 documentation, whereami, whoami, wideip are all available in F5 version 10+
Hi, what version of F5 are you on?
Client is on F5 version 11.5.2 HF1.0.169.
I suggest you file a case with F5 support, they can help you determine why these functions are not available in the F5.