Since F5 has decided to divide up their app to 3 different ones (Access, Network, Security) it's getting hard to set it up. On the F5 side, I'm only seeing the option to forward all logs to a specific port on Splunk. In my case it is on port 10035.
I am not here yet with the F5 app, but hopefully soon we will be deploying it/them. Based on my experience on other work, consider this for your issues:
Look in the dashboard code, specifically at the searches, to see what you need to set as your sourcetypes.
One way to do that is through transforms. And this may be what the app normally does. So look also in the props.conf and trasnforms.conf file(s) for code that takes in a "global" sourcetype and then uses something unique in each source's log data to identify it as data specific for that part of the app.
Is there a reason you cannot install the app(s) in their "normal mode"? Seems you are setting this up to customize it. True? Is there really value to that for you? Consider the long-term effect, particularly if it is someone else coming in behind you and you're long gone. How are they going to maintain this?