Knowledge Management

why the data is not conformed with CIM model after implementing the splunk Add-on for F5 BIG-IP?

Hemnaath
Motivator

Hi All, Currently facing an issue in parsing the data and also the data is not conformed with CIM model.

Environment details :
F5 LTM data are being ingested into splunk Environment from syslogs servers. We have 5 Heavy forwarder instances configured to fetch the syslogs data's and forward it to the 5 individual indexer instances. Splunk F5 Add-on is uploaded in search head cluster master with the below configuration details as per the splunk documentation.
appserver
bin
default
metadata
static
ReadME

We have customize app Test-IA-f5 with the inputs.conf configured to fetch the data from the syslog server and this app is placed in all the Heavy forwarder instances.

Test-IA-f5:

F5 LTM

[monitor:///opt/syslogs/web_access/.../*.log]
index = web_app
sourcetype = f5:bigip:syslog
host_segment = 4

We could see the data in splunk console but data is not parsing properly and also its conformed with the CIM model.
Kindly guide me how to fix this issue.

thanks in advance.

Tags (3)
0 Karma

harsmarvania57
Ultra Champion

Based on the documentation http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes , it says f5:bigip:syslog sourcetype does not support any CIM datamodel. Have you checked that?

EDIT: But while looking at the add-on, it is doing index level parsing and as you are using Heavy Forwarder to send syslog data with sourcetype f5:bigip:syslog you need to install this add-on on Heavy Forwarder not on Indexers.

0 Karma

Hemnaath
Motivator

Hi Harsmarvania57, thanks for your effort on this, I had placed the Splunk Add-on for F5 BIG-IP in the Heavy forwarder instances to parse the data before indexing the data. After placing the add-on in the HF instance now we could see the F5 data are being parsed.

0 Karma

harsmarvania57
Ultra Champion

I have converted my comment to answer, please accept it so that question will be closed.

0 Karma

sumitkathpal292
New Member

@harsmarvania57 can you help, we are also facing same issue . We have installed the F5 add-on on HF;however, logs are not getting tag to datamodel .

All F5 syslog data is written into file (via UDP) and splunk is reading the files . sourcetype=f5:bigip:syslog .

0 Karma

micahkemp
Champion

Does the indexed data show up as having sourcetype f5:bigip:syslog? Have you tried searching in verbose mode to confirm that none of the fields are being parsed as expected?

0 Karma

Hemnaath
Motivator

Hi micahkemp, thanks for your effort on this, yes when we try to search with the above source type we are able to see the data in splunk console. But its not parsing the data as expected. I am came to know that we need to place the splunk Add-on for F5 BIG-IP in the Heavy forwarder instances to parse the data before indexing the data.

But I have question now, since i am using the sourcetype = f5:bigip:syslog do I need to place entire content of the splunk Add-on in the HF server or we can place only the props/transforms related to the sourcetype=f5:bigip:syslog is enough.

Kindly guide me on this please.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...