Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

F5 ASM events are being merged, sourcetype is f5:bigip:asm:syslog

juanlazarosanch
New Member
‎12-12-2018 11:14 AM

I installed the Splunk Add-on for F5 BIG-IP and defined the incoming as sourcetype f5:bigip:asm:syslog. Several (not all) events are getting merged into one event. Is there anything I can change to modify the sourcetype so that each event is a single event and not merged? Thanks!

Tags (1)
0 Karma
Reply

prakash007
Builder
‎12-12-2018 11:34 AM

Did you check props and transforms in Splunk Add-on for F5 BIG-IP..??
Can you post a sample event here..??
Make sure you have that TA installed on a heavy forwarder or indexer.

0 Karma
Reply

juanlazarosanch
New Member
‎12-12-2018 01:03 PM

I checked for those files (props and transforms) but did not find them here, would they be in some other spot?
/opt/splunk/etc/apps/Splunk_TA_f5-bigip/local # ls
app.conf indexes.conf

The Splunk Add-on for F5 BIG-IP is installed on both the forwarder and indexer.

Unfortunately, I cannot post events. I can try redacting or modifying them before I post...it'll take me a while. Thanks!

0 Karma
Reply

prakash007
Builder
‎12-12-2018 01:23 PM

@juanlazarosanchez:
check it in /opt/splunk/etc/apps/Splunk_TA_f5-bigip/default...
when you say forwarder, is it a heavy forwarder or a universal forwarder..??

0 Karma
Reply

juanlazarosanch
New Member
‎12-12-2018 02:11 PM

Heavy forwarder

They were in the spot you used mentioned. I looked through them, but could not determine why the events were merging.

I tried something different, I changed to sourcetype to access_common and now all the events are separated as they should be. I don't mind using access_common going forward unless there is another pre-trained sourcetype that would be more appropriate.

0 Karma
Reply

prakash007
Builder
‎12-12-2018 05:14 PM

@juanlazarosanchez : I wouldn't do that unless there is a specific reason, go through splunk docs for detailed configuration steps, there should be few other configs/extractions that are tied with default sourcetypes.
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...