Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

F5/Splunk App - LTM dashboard

ebaycmille
New Member
‎12-10-2010 12:28 AM

Hello, just curious if anyone has had success getting this to work? Are there any config docs available?

0 Karma
Reply

cps42
Explorer
‎09-28-2011 11:38 AM

I came upon this thread a bit late, but with the advent of v10 / v11 software, and multimodule Big-IP systems (WAM + ASM + LTM on one system, for example), I've found a different tack on the transforms.conf. You can see some of it in the $SPLUNK_HOME/etc/apps/SplunkforF5/default/ config files.

Each of the modules that runs through AlertD will prepend the log message with a number in this format:


REGEX = (\d{4}[0-9A-Fa-f]{4}:\d+:).

For example, the apm_log regex is


transforms.conf:REGEX = :\s(?:0149[0-9A-Fa-f]{4}:\d+:|0125[0-9A-Fa-f]{4}:\d+:\s[0-9A-Fa-f]{8}:)

Make sure your props.conf file calls those dynamic transforms out, and then you don't have to manually define every LTM on your network in transforms.conf.


TRANSFORMS-f5 = firepass_sourcetyper, asm_sourcetyper, apm_sourcetyper, irule_sourcetyper, PSM_sourcetyper_smtp, PSM_sourcetyper_http, PSM_sourcetyper_ftp, bigip_sourcetyper

0 Karma
Reply

MarioM
Motivator
‎04-15-2011 10:45 AM

yes if everything is coming on same udp port you can force the sourcetype by host by modifying(or creating) props.conf and transforms.conf in either splunk/etc/system/local,splunk/etc/apps/myapps/local,splunk/etc/apps/SplunkforF5/local:

In transforms.conf for example:

[assign_sourcetype_bigip]
SOURCE_KEY=MetaData:Host
DEST_KEY=_MetaData:Sourcetype
REGEX=^host::(10\.10\.10\.1|10\.10\.10\.2)$
FORMAT=ltm_log

In props.conf:

TRANSFORMS-force-bigip-sourcetype = assign_sourcetype_bigip
0 Karma
Reply

charlestips
Explorer
‎04-15-2011 09:33 AM

How do you set the manual source type? Everything is coming in on one port, is it possible to set the source type based on the host sending it?

0 Karma
Reply

MarioM
Motivator
‎12-10-2010 01:14 PM

First make sure your data inputs have the right manual sourcetype:

LTM ltm_log

GTM gtm_log

ASM asm_log

PSM psm_log

Firepass firepass_log

The app has many scheduled searches, including some that feed the summary index then you need to wait they kick off and summary index being filled before things shows up in dashboard.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...