×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ebaycmille
New Member
Member since: ‎12-10-2010
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-10-2010
Activity Feed
View All

Re: F5/Splunk App - LTM dashboard

by in Dashboards & Visualizations
‎09-28-2011 11:38 AM
‎09-28-2011 11:38 AM
I came upon this thread a bit late, but with the advent of v10 / v11 software, and multimodule Big-IP systems (WAM + ASM + LTM on one system, for example), I've found a different tack on the transforms.conf. You can see some of it in the $SPLUNK_HOME/etc/apps/SplunkforF5/default/ config files. Each of the modules that runs through AlertD will prepend the log message with a number in this format: REGEX = (\d{4}[0-9A-Fa-f]{4}:\d+:). For example, the apm_log regex is transforms.conf:REGEX = :\s(?:0149[0-9A-Fa-f]{4}:\d+:|0125[0-9A-Fa-f]{4}:\d+:\s[0-9A-Fa-f]{8}:) Make sure your props.conf file calls those dynamic transforms out, and then you don't have to manually define every LTM on your network in transforms.conf. TRANSFORMS-f5 = firepass_sourcetyper, asm_sourcetyper, apm_sourcetyper, irule_sourcetyper, PSM_sourcetyper_smtp, PSM_sourcetyper_http, PSM_sourcetyper_ftp, bigip_sourcetyper ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM