Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- F5/Splunk App - LTM dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
F5/Splunk App - LTM dashboard
Hello, just curious if anyone has had success getting this to work? Are there any config docs available?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I came upon this thread a bit late, but with the advent of v10 / v11 software, and multimodule Big-IP systems (WAM + ASM + LTM on one system, for example), I've found a different tack on the transforms.conf. You can see some of it in the $SPLUNK_HOME/etc/apps/SplunkforF5/default/ config files.
Each of the modules that runs through AlertD will prepend the log message with a number in this format:
REGEX = (\d{4}[0-9A-Fa-f]{4}:\d+:).
For example, the apm_log regex is
transforms.conf:REGEX = :\s(?:0149[0-9A-Fa-f]{4}:\d+:|0125[0-9A-Fa-f]{4}:\d+:\s[0-9A-Fa-f]{8}:)
Make sure your props.conf file calls those dynamic transforms out, and then you don't have to manually define every LTM on your network in transforms.conf.
TRANSFORMS-f5 = firepass_sourcetyper, asm_sourcetyper, apm_sourcetyper, irule_sourcetyper, PSM_sourcetyper_smtp, PSM_sourcetyper_http, PSM_sourcetyper_ftp, bigip_sourcetyper
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes if everything is coming on same udp port you can force the sourcetype by host by modifying(or creating) props.conf and transforms.conf in either splunk/etc/system/local,splunk/etc/apps/myapps/local,splunk/etc/apps/SplunkforF5/local:
In transforms.conf for example:
[assign_sourcetype_bigip]
SOURCE_KEY=MetaData:Host
DEST_KEY=_MetaData:Sourcetype
REGEX=^host::(10\.10\.10\.1|10\.10\.10\.2)$
FORMAT=ltm_log
In props.conf:
TRANSFORMS-force-bigip-sourcetype = assign_sourcetype_bigip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you set the manual source type? Everything is coming in on one port, is it possible to set the source type based on the host sending it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure your data inputs have the right manual sourcetype:
LTM ltm_log
GTM gtm_log
ASM asm_log
PSM psm_log
Firepass firepass_log
The app has many scheduled searches, including some that feed the summary index then you need to wait they kick off and summary index being filled before things shows up in dashboard.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
