There's a PDF inside the /etc/apps/SplunkforF5Network directory/folder called Configuring BigIP AFM Logging for Splunk.pdf that explains how to properly configure your F5 devices to send the syslogs for the Splunk app to understand it, and then just as @maciep said configure your inputs to label the sourcetype as syslog and the transforms in the props.conf should take care of the rest.

we are specifying sourcetype as "syslog" and we are seeing the same sourcetype in indexed data. We haven't done any change in props/transforms.conf ,not sure what to apply there. Is there any doc/sample config to check on that?

Yes, it doesn't seem like that app is very well documented.

I would suggest you copy/install the app to the heavy forwarder and restart. The app contains the props and transforms, so hopefully the data will start showing up with a different sourcetype. And then hopefully the searches in the app will start to produce results.

If you look in the props.conf, you can see that there is a stanza for the syslog sourcetype. In that stanza, it defines some transforms to apply to the data to change the sourcetype. If you look in transforms.conf, you should see the various stanzas referenced in props, the regex being used and the new sourcetypes being applied.

great thanks. I will check on that and will update the result here.

There is documentation inside the installed ap for F5 for security App. refer to it. We have configured using same document.

You will find the PDF Under $splunk_home$\etc\apps\SplunkforF5Networks

Thanks for the info but I am not sure still how it will serve in our current set up. LB is pushing data to our syslog-ng server and from there UF is reading that data and sending to HF which in turns send to indexer. From the doc look like LB should directly sending the data to indexer?

Any help is appreciated.