Hello,
Currently running F5 13.1.0, and Splunk Enterprise 7.1.2, i'm utilizing F5 Network s- Analytics (New) v1.0 App, and F5's Analytics Template v3.7.1.
When I enable Local System Logging (syslog) I get a slew of Syslog events from F5, all other events are not showing up. The only error I receive in /var/log/ltm is the following:
Jan 4 04:00:30 f5-n1 notice mcpd[5856]: 0107167d:5: Data publisher not found or not implemented when processing request (unknown request), tag (2901).
Jan 4 04:00:35 f5-n1 err scriptd[13853]: 014f0013:3: Script (/Common/Splunk-send_stats) generated this Tcl error: (script did not successfully complete: (01020036:3: The requested RADIUS Server (/Common/Splunk.app) was not found. while executing "tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth" invoked from within "lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0" invoked from within "set obj [lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0]" line:41))
I know this might be a F5 issue but after going over the Deployment Guide, its pretty self explanatory.... I do have syslog events going into my F5 Index (f5-bigip) but the dashboard never shows any results, and my only events are syslog. I would like to be able to get Member Pools, ASM, GTM and LTM information into this tool if its feasible.
Any help would be much appreciated, thanks!
@pzharyuk : Hey man , did u get this to work ..?? How was it resolved ..?? Kindly share ..!!
@Nadhiyaa
If you run a TCPDUMP from the interface and you disable hat syslog do you also see no traffic generated?
Thanks for posting this, I'm struggling with this as well. I initially set it up in our DEV splunk and even though the dashboards were not populating I was still getting useful logs like bigip.logs which includes application info, vips, etc... A week ago or so, I deployed the F5 app on our PRD HF and SH and now I only get syslog/snmp data. I tried moving it back to DEV splunk but it looks like the iApp just stopped parsing and forwarding the data properly. I will try the RC5 like you mentioned and see if it helps. If you have any additional info/updates, please share.
I am facing the same issue . We have create a rule using F5 iapp .But only the syslog events are ingested .
One thing F5 also suggested, is having the F5 Analytics profile applied to your Virtual Servers, that may also be another reason why its now working - the iApp RC5 is still the fix, just this is an additional thing to do.
@Nadhiyaa
Wanted to give you an update, after working w/ ANM they had a engineer that worked w/ F5 development, the issue is with the F5 Analytics iApp v3.7.1, you will need to use v3.7.2RC5 when you download the bundle from F5, under analytics folder should be a Release Canidate folder, and it has this .tmpl file in there.
When I put this in place, I got a SLEW of data, but i'm finding that the Splunk F5 app dashboard panel, are using a search query of "UNDEFINED" so now i'm facing data not collecting in panels due to this.
Hope this helps you, good luck!