All Apps and Add-ons

Splunk for F5 (Access, Network, Security)

Path Finder

Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.

On the Splunk side, here is what I have setup:

1) /opt/splunk/etc/apps/SplunkforF5Access/local/inputs.conf

  • [udp://10035]
  • connection_host = none
  • sourcetype = apm_log

2) /opt/splunk/etc/apps/SplunkforF5Networks/local/inputs.conf

  • [udp://10035]
  • connection_host = none
  • sourcetype = F5:AFM:Syslog

3) /opt/splunk/etc/apps/SplunkforF5Security/local/inputs.conf

  • [udp://10035]
  • connection_host = none
  • sourcetype = asm_log

But now, I'm only getting logs under apm_log of access (doesn't really matter) and nothing else.

So I have a couple of questions:

  1. What are the correct sourcetypes that I need to use? since none of the preloaded dashboard work.
  2. How can I split these apps since I'm only allowed to send traffic through 1 port but need to distinguish between the data?

New Member

You can leave your source type as syslog and it will get transformed in the props.conf


My input is like this;

disabled = false
index = F5
sourcetype = syslog

0 Karma


I am not here yet with the F5 app, but hopefully soon we will be deploying it/them. Based on my experience on other work, consider this for your issues:

  1. Look in the dashboard code, specifically at the searches, to see what you need to set as your sourcetypes.
  2. One way to do that is through transforms. And this may be what the app normally does. So look also in the props.conf and trasnforms.conf file(s) for code that takes in a "global" sourcetype and then uses something unique in each source's log data to identify it as data specific for that part of the app.

Is there a reason you cannot install the app(s) in their "normal mode"? Seems you are setting this up to customize it. True? Is there really value to that for you? Consider the long-term effect, particularly if it is someone else coming in behind you and you're long gone. How are they going to maintain this?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!