I have a bit high-level, not too much technical, mostly a "what's your opinion" question for people who use Splunk to collect data from F5.
There are two main Splunk add-ons/apps for F5 these days:
Q1: Which of them do you use in your environment, and why?
Q2: Is it possible to use both of them? Do you have such setup in your environment?
I have installed F5 Networks - Analytics, which comes with F5 iApp template that collects and uploads data to Splunk via
F5 iControl -> Splunk HEC. Now I'm reading about Splunk Add-on for F5 BIG-IP, and it seems that this one collects the data differently. To be honest, I've got lost in its documentation.
Ideally, I would love to use both, because Splunk Add-on for F5 BIG-IP is CIM compliant but F5 Networks - Analytics provides a lot of insight info and does additional analysis. However, as much as I can tell at this moment, I would end up in collecting some of the data twice (?).
Your opinion is much appreciated.
Splunk Add-on for F5 BIG-IP (built and officially supported by Splunk)
Pulls data from F5, you have option to filter and specify what data you are interested in.
You can only ingest the data into Splunk using this App, Visualizations you have to create your own..
Require credentials with apropriate role to query F5 for the data, and password management is bit challenge when more F5s and no integrated authentication.
F5 Networks - Analytics (built and officially supported by F5)
Require no authentication, depends on F5 iApp to push the data to Splunk indexers
Comes with pre-built Data Models & Dashboards
Visualization are very slow and doesn't appear to me scaleable to larger audience
What I ended up doing is using F5 Networks - Analytics (built and officially supported by F5) App for data models (F5 iApp push data to Splunk indexers) and build my own visualization.
Your observations are spot on. The data does overlap, and it would require significant refactoring of both apps to not cause data duplication. I have opened an F5 Enhancement Request for them to take over CIM compliance. I have gone with the Splunk based app because of the CIM model to support Splunk ES. Also, the F5 app requires a very LARGE amount of data ingestion license since everything it produces is based on JSON formatted data.