This is an old post, but an easy one to setup. We have our F5 LTM logs going to Splunk so we can monitor when the F5 marks a member of a pool up or down.
The first thing you need to do is setup a UDP (or TCP, depending on how your network team wants to send F5 logs to your Splunk server) listen port on your Splunk indexer server in inputs.conf
Mine looks like this (be sure the index you set has been created)
connection_host = ip
sourcetype = ltm_log
source = ltm
index = f5
Next, have your network admin config the F5 to forward the LTM logs to your Splunk indexer hostname (or IP) and port you configured above
If everything works, you should see F5 logs similar to the following
mcpd: 01070727:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status up.
mcpd: 01070638:5: Pool /Common/Pool_A member /Common/Server1:80 monitor status down.
Where Pool_A is the F5 pool name, Server1:80 is the member server name/ip and port, and monitor status shows whether the F5 disabled (down) or enabled (up) the member in the pool based on it's availability.
From here, you can create an alert when the status changes.
Finally, there are some F5 apps on Splunkbase that you can play around with as well.
... View more