All Apps and Add-ons

Use of F5 Network Analytics app for customers

ashleyherbert
Communicator

Hi all,
My company is building a new private cloud platform, and will be offering F5 virtual servers as a standard offering for each application that onboards to the platform. As part of this, using Splunk we want to give visibility of the F5 devices for the F5 support team, as well as giving visibility to consumers of the platform to their own virtual servers.

We are a large company and will end up with hundreds of apps on this platform. I've been playing with the multi tenancy in the F5 iApp, but I have a few concerns with the way it works:

  1. The number of indexes will become quite large, and I'm a little concerned about the scalability & performance of separating all the data into hundreds of indexes.
  2. For the platform consumers, I think the dashboards might be too much information to display, when mostly all they want to see is the status of their VIPs and pool members.

So my question is, do others offer this app to their consumers, or just use it for dedicated support of the F5s?
If so, do you find it consumable by your average application support team members?

I'm leaning towards making it a single tenant model and filtering by app, then just building some simple dashboards to cover the consumers use cases. We already provide a standardised Splunk app to consumers of Splunk, so I'd just extend that. We'd then only allow the F5 support team access to this app.

Thanks heaps in advance!

Ash

0 Karma
1 Solution

chitturics
Explorer

We configured all events to go one index "f5-default"

I tried using F5 Splunk app as it is and not convinced the way it work/present. I find the app is very resource intensive and not scale-able when we have large user base.

We are using data models came with F5 App, however changed the App visibility to "No".

We are using 5 minute aggregation data from F5 to Splunk and it defeat the idea of showing near real time. So I am using F5 interval data in combination with SNMP Traps F5 sending when there is change in status of a Pool/Pool Member.

I created few saved searches which run every 1 minute, 10 minute and daily based on requirement and creating outputlookup(s). Using these outputlookup files, created several dashboards to show health of Pool/PoolMember/VIP and also correlating with several other events that we already have in Splunk.

Ex:
Events from Real User Monitoring Tool (Agentless).
PoolMember resource alarms (Ex: CPU, Memory, Disk, Network)
RHEV/CloudForms/Puppet events for the PoolMember (Ex: VM Migration, Hypervisor/Host memory presssure etc.,)
PoolMember Syslog Events for known exceptions
PoolMember Application Log Exceptions/events
If the server is in maintenance mode for some scheduled activity
JVM, Database events

View solution in original post

chitturics
Explorer

We configured all events to go one index "f5-default"

I tried using F5 Splunk app as it is and not convinced the way it work/present. I find the app is very resource intensive and not scale-able when we have large user base.

We are using data models came with F5 App, however changed the App visibility to "No".

We are using 5 minute aggregation data from F5 to Splunk and it defeat the idea of showing near real time. So I am using F5 interval data in combination with SNMP Traps F5 sending when there is change in status of a Pool/Pool Member.

I created few saved searches which run every 1 minute, 10 minute and daily based on requirement and creating outputlookup(s). Using these outputlookup files, created several dashboards to show health of Pool/PoolMember/VIP and also correlating with several other events that we already have in Splunk.

Ex:
Events from Real User Monitoring Tool (Agentless).
PoolMember resource alarms (Ex: CPU, Memory, Disk, Network)
RHEV/CloudForms/Puppet events for the PoolMember (Ex: VM Migration, Hypervisor/Host memory presssure etc.,)
PoolMember Syslog Events for known exceptions
PoolMember Application Log Exceptions/events
If the server is in maintenance mode for some scheduled activity
JVM, Database events

ashleyherbert
Communicator

Thanks heaps for the info chitturics! Really appreciate you taking the time to post this. I'm thinking we'll end up having to do something similar, just getting the default stuff in initially and then will work through what's required for our broad user base.

0 Karma

chitturics
Explorer

alt text

0 Karma

AlanMoen
Explorer

Any chance you could share the code for these dashboards? I'm trying similar things but am a neophyte in Splunk.

0 Karma

chitturics
Explorer

alt text

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...