All Apps and Add-ons

Splunk for F5 Networks/Access: Non-Default Index = Broken App!

JdeFalconr
Explorer

I've successfully installed the Splunk App for F5 Networks and Splunk App for F5 Access apps into our Splunk 5.0.5 installation. I configured a non-default index for logs to go into named "f5" and configured the input set up for the app to direct data into that new index. That input is configured for source type of "syslog". At this time we only have data coming in from AFM as we haven't completed configuring other modules. I've confirmed logs are appearing in that index and they're of the proper source type ("F5:AFM:Syslog"). However the app refuses to return any results for any of its dashboards regardless of search settings.

I believe the issue is that we're using a different index for the data. When inspecting all of the app's queries I see that they're all prepended with the text "search" which I think is directing Splunk to look in the wrong index. Here's an example of one:

search sourcetype="F5:AFM:Syslog" | stats  count by action src_ip dest_ip dest_port bigip_mgmt_ip hostname src_port _time

If I remove the text "search" from the above query and insert "index=f5" at the beginning the search returns results without issue. Oddly leaving the "search" text while also specifying the index does not produce results.

I've tried the following to correct this:

  • A custom eventtypes.conf with stanzas for each F5 sourcetype and a "search = index=f5" line under each
  • a custom indexes.conf with the line "defaultdatabase=f5"
  • a custom inputs.conf with the line "index = f5"
  • editing savedsearches.conf to add "index=f5" to all the "search" items under each search entry that don't already define an index

Evidence seems to indicate that the problem is that the app is searching the wrong index. How in the world do I go about directing it to search the "f5" index I've created?

0 Karma

Dan
Splunk Employee
Splunk Employee

Your user may not be configured to search index=f5 by default. You can fix this by going to the roles settings and adding F5 to the list of indexes searched by default.

Also, you can ignore the "search" text at the beginning of the query. The inspector is somewhat confusingly giving you the verbose version of the query that is sent to the indexers. search is the SPL command that is implicit when you type something in the UI search bar. You might be interested to know that search is not the only command you can use to generate results, for instance you can try searching for "| dbinspect".,Ignore the "search" that you are seeing in inspector. When you do a search in the UI search bar, that is the SPL command that is being called behind the scenes. The inspector somewhat confusingly is including the full verbose API call being sent to the indexers. (FYI there are other commands you can use to start your query, for instance | metadata).

Anyway, by default your user profile may not be searching index=f5. You can see this in the roles setting. Just add F5 to the list of indexes that are searched by default.

Hope that helps!

0 Karma

mmccullough_mer
Engager

Need a way to configure this to search a specified index as adding default indexes to my search list is not feasible, I need to keep the default indexes to a small set and exclude the index containing network gear like F5s by default.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!