Knowledge Management

why the data is not conformed with CIM model after implementing the splunk Add-on for F5 BIG-IP?

Motivator

Hi All, Currently facing an issue in parsing the data and also the data is not conformed with CIM model.

Environment details :
F5 LTM data are being ingested into splunk Environment from syslogs servers. We have 5 Heavy forwarder instances configured to fetch the syslogs data's and forward it to the 5 individual indexer instances. Splunk F5 Add-on is uploaded in search head cluster master with the below configuration details as per the splunk documentation.
appserver
bin
default
metadata
static
ReadME

We have customize app Test-IA-f5 with the inputs.conf configured to fetch the data from the syslog server and this app is placed in all the Heavy forwarder instances.

Test-IA-f5:

F5 LTM

[monitor:///opt/syslogs/web_access/.../*.log]
index = web_app
sourcetype = f5:bigip:syslog
host_segment = 4

We could see the data in splunk console but data is not parsing properly and also its conformed with the CIM model.
Kindly guide me how to fix this issue.

thanks in advance.

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Based on the documentation http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes , it says f5:bigip:syslog sourcetype does not support any CIM datamodel. Have you checked that?

EDIT: But while looking at the add-on, it is doing index level parsing and as you are using Heavy Forwarder to send syslog data with sourcetype f5:bigip:syslog you need to install this add-on on Heavy Forwarder not on Indexers.

0 Karma

Motivator

Hi Harsmarvania57, thanks for your effort on this, I had placed the Splunk Add-on for F5 BIG-IP in the Heavy forwarder instances to parse the data before indexing the data. After placing the add-on in the HF instance now we could see the F5 data are being parsed.

0 Karma

SplunkTrust
SplunkTrust

I have converted my comment to answer, please accept it so that question will be closed.

0 Karma

New Member

@harsmarvania57 can you help, we are also facing same issue . We have installed the F5 add-on on HF;however, logs are not getting tag to datamodel .

All F5 syslog data is written into file (via UDP) and splunk is reading the files . sourcetype=f5:bigip:syslog .

0 Karma

Champion

Does the indexed data show up as having sourcetype f5:bigip:syslog? Have you tried searching in verbose mode to confirm that none of the fields are being parsed as expected?

0 Karma

Motivator

Hi micahkemp, thanks for your effort on this, yes when we try to search with the above source type we are able to see the data in splunk console. But its not parsing the data as expected. I am came to know that we need to place the splunk Add-on for F5 BIG-IP in the Heavy forwarder instances to parse the data before indexing the data.

But I have question now, since i am using the sourcetype = f5:bigip:syslog do I need to place entire content of the splunk Add-on in the HF server or we can place only the props/transforms related to the sourcetype=f5:bigip:syslog is enough.

Kindly guide me on this please.

0 Karma