Splunk Search

F5 ASM events are being merged, sourcetype is f5:bigip:asm:syslog

juanlazarosanch
New Member

I installed the Splunk Add-on for F5 BIG-IP and defined the incoming as sourcetype f5:bigip:asm:syslog. Several (not all) events are getting merged into one event. Is there anything I can change to modify the sourcetype so that each event is a single event and not merged? Thanks!

Tags (1)
0 Karma

prakash007
Builder

Did you check props and transforms in Splunk Add-on for F5 BIG-IP..??
Can you post a sample event here..??
Make sure you have that TA installed on a heavy forwarder or indexer.

0 Karma

juanlazarosanch
New Member

I checked for those files (props and transforms) but did not find them here, would they be in some other spot?
/opt/splunk/etc/apps/Splunk_TA_f5-bigip/local # ls
app.conf indexes.conf

The Splunk Add-on for F5 BIG-IP is installed on both the forwarder and indexer.

Unfortunately, I cannot post events. I can try redacting or modifying them before I post...it'll take me a while. Thanks!

0 Karma

prakash007
Builder

@juanlazarosanchez:
check it in /opt/splunk/etc/apps/Splunk_TA_f5-bigip/default...
when you say forwarder, is it a heavy forwarder or a universal forwarder..??

0 Karma

juanlazarosanch
New Member

Heavy forwarder

They were in the spot you used mentioned. I looked through them, but could not determine why the events were merging.

I tried something different, I changed to sourcetype to access_common and now all the events are separated as they should be. I don't mind using access_common going forward unless there is another pre-trained sourcetype that would be more appropriate.

0 Karma

prakash007
Builder

@juanlazarosanchez : I wouldn't do that unless there is a specific reason, go through splunk docs for detailed configuration steps, there should be few other configs/extractions that are tied with default sourcetypes.
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...