All Apps and Add-ons

Why is the Splunk Add-on for F5 BIG-IP not separating sourcetypes as expected?

Path Finder

Has anyone had issues with the Splunk Add-on for F5 BIG-IP setting/separating the sourcetypes?
According to the documentation, if the sourcetype is set to f5:bigip:syslog, the data should be separated into its specific sourcetypes (f5:bigip:apm:syslog, f5:bigip:asm:syslog, f5:bigip:icontrol, etc), but all of our sourcetypes are still coming in as f5:bigip:syslog.

Is there anything specific that I need to change in the configuration files so that these sourcetypes are automatically updated?



We're having the same issue with the f5 add-on.  The problem is the add-on because if you don't use the add-on the event braking works with 8.2 just fine.  The sub sorucetype [f5:bigip:apm:syslog] works fine.  The root sourcetype [f5:bigip:syslog] isn't parsing correctly for TCP stream or Syslog format.  

Event 1:
May 17 23:33:58 %masked_host% apmd[13742]: 01490115:5: /Common/ Following rule 'CAC' from item 'Logon Authentication Type Switch' to terminalout 'CAC'

Event 2:
May 17 23:34:01 %masked_host% /Common/ Common:cbd11dc1: iRule access_policy_default CLIENTSSL_CLIENTCERT | DEBUG | Got 2 certs ||

We had our F5 SME provide two different format that configurable with the F5 appliance. 
Here is the line brake by the TA.
[f5:bigip:syslog]LINE_BREAKER = ([\r\n]+)(.*)(f5_irule|[^"]f5_asm|:\s(?:\d{4})[0-9A-Fa-f]{4}:\d+:\s+(?:[^:\s]{1,100}:[^:\s]{1,100}:\s*)?[0-9a-f]{8}:|( debug | info | warning | err | notice | alert | crit | emerg ))

Fails to parse the above two events.

Fails to line brake with for all the events.
[f5:bigip:syslog]LINE_BREAKER = ([\r\n]+)(.*)(f5_irule|[^"]f5_asm|:\s(?:\d{4})[0-9A-Fa-f]{4}:\d+:\s+(?:[^:\s]{1,100}:[^:\s]{1,100}:\s*)?[0-9a-f]{8}:|( debug | info | warning | err | notice | alert | crit | emerg ))

Were you able to make progress? 

0 Karma

New Member

You need to make sure the TA is installed on the indexer or heavy forwarder if you are using them. Due to the line breaks etc a Universal forwarder will not expand the events in the transforms to give you the expanded source types.

0 Karma

New Member

This could happened if F5 is not configured well (sending logs format).

Should be like this:


0 Karma


Hmm i got same problem, splunk not separating sourcetypes.
I try follow but the splunk only receive syslog audit.



Got same problem here. Add-on cannot extract fields for ASM audit events.

Sourcetype: f5:bigip:syslog
Port: udp:9514

Have you guys get through this issue?


Did you get any answer about this question ? I have the same problem for all my F5:big IP logs

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.