All Apps and Add-ons

Splunk Add-on for F5 BIG-IP: How to configure iRules for F5 GTM? Getting "[/Common/Splunk_DNS_REQUEST] error...undefined procedure:..."

splunker12er
Motivator

Unable to configure iRules in F5 as per the steps given in the Splunk docs:

http://docs.splunk.com/Documentation/AddOns/latest/F5BIGIP/Setup#Configure_iRules_for_GTM

Error Message:

01070151:3: Rule [/Common/Splunk_DNS_REQUEST] error: /Common/Splunk_DNS_REQUEST:7: error: [undefined procedure: whereami][whereami]
/Common/Splunk_DNS_REQUEST:9: error: [undefined procedure: whoami][whoami]
/Common/Splunk_DNS_REQUEST:10: error: [undefined procedure: wideip][wideip name]
0 Karma

rhombus00
Engager

I know this is an old thread, but wanted to provide some details as I ran into the same issue.

The Splunk docs provides separate iRules for DNS request logging and DNS response logging.

DNS request logging is configured in DNS > GSLB > iRules. They incorrectly state that you can apply this rule to your Listeners. You can only apply a GSLB iRule to wide IPs. 

DNS response logging is configured in DNS > Delivery > iRules. I believe some older versions might list them in Local Traffic > iRules. They incorrectly state you can apply the rule to wide IPs. You can only apply a LTM/Delivery iRule to Listeners.

While the logging does work assuming you apply the rules to the correct objects, the problem I had is ensuring that the request logging rule gets applied to all wide IPs. I want to do logging on the Listeners so I can set it and forget it. Rules configured within DNS > Delivery > iRules support both DNS_REQUEST and DNS_RESPONSE events, but they don't support the whereami, whoami, whereis, and wideip name commands. I simply remove the references to those commands and joined both the request and response rules into a single rule and applied it to my Listeners. I copied an example below.

when DNS_REQUEST {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set question_class [DNS::question class]
    set question_type [DNS::question type]
    set dns_len [DNS::len]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,question_class=$question_class,question_type=$question_type,dns_len=$dns_len"
}

when DNS_RESPONSE {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set is_wideip [DNS::is_wideip [DNS::question name]]
    set answer [join [DNS::answer] ;]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer\""
}


0 Karma

jkat54
SplunkTrust
SplunkTrust

according to f5 documentation, whereami, whoami, wideip are all available in F5 version 10+

0 Karma

ppohar_splunk
Splunk Employee
Splunk Employee

We are seeing similar error.
alt text

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, what version of F5 are you on?

0 Karma

ppohar_splunk
Splunk Employee
Splunk Employee

Client is on F5 version 11.5.2 HF1.0.169.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I suggest you file a case with F5 support, they can help you determine why these functions are not available in the F5.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...