@jonesnadiam wrote: Has anyone had issues with the Splunk Add-on for F5 BIG-IP setting/separating the sourcetypes? According to the documentation, if the sourcetype is set to f5:bigip:syslog, the data should be separated into its specific sourcetypes (f5:bigip:apm:syslog, f5:bigip:asm:syslog, f5:bigip:icontrol, etc), but all of our sourcetypes are still coming in as f5:bigip:syslog. Is there anything specific that I need to change in the configuration files so that these sourcetypes are automatically updated? Thanks. yes , i have fixed it by asking System administrator to change the 1st part of raw data from F5-Logging profile to the one which match with "f5_asm" format and it work =====> but found another issue with Addon (( Addone -F5 BigIp) didnot tag ASM-logs which will not be presented on Datamodels Or dashboards  so i make a new files at local folder props.conf  ### ASM ### [f5:bigip:asm:syslog] EVAL-attack_type = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) EVAL-category = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) and tags.conf   ### ASM ### [eventtype=f5_bigip_asm_syslog_attack] web = enabled communicate = enabled network = enabled attack = enabled ids = enabled [eventtype=f5_bigip_asm_syslog] web = enabled communicate = enabled network = enabled   AND eventtypes.conf   [f5_bigip_asm_syslog] search = sourcetype="f5:bigip:asm:syslog" (attack_type="N/A" OR NOT attack_type=*) [f5_bigip_asm_syslog_attack] search = sourcetype="f5:bigip:asm:syslog" (attack_type!="N/A" AND attack_type=*)    and now everything is working fine and data are tagged this should be added to addons in the next release  ... View more

yes , i have fixed it by asking System administrator to change the 1st part of raw data from F5-Logging profile to the one which match with "f5_asm" format and it work =====> but found another issue with Addon (( Addone -F5 BigIp) didnot tag ASM-logs which will not be presented on Datamodels Or dashboards  so i make a new files at local folder props.conf  ### ASM ### [f5:bigip:asm:syslog] EVAL-attack_type = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) EVAL-category = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) and tags.conf   ### ASM ### [eventtype=f5_bigip_asm_syslog_attack] web = enabled communicate = enabled network = enabled attack = enabled ids = enabled [eventtype=f5_bigip_asm_syslog] web = enabled communicate = enabled network = enabled   AND eventtypes.conf   [f5_bigip_asm_syslog] search = sourcetype="f5:bigip:asm:syslog" (attack_type="N/A" OR NOT attack_type=*) [f5_bigip_asm_syslog_attack] search = sourcetype="f5:bigip:asm:syslog" (attack_type!="N/A" AND attack_type=*)    and now everything is working fine and data are tagged this should be added to addons in the next release  @pvuong  @jonesnadiam  @ianbow_concur  @sirajnp  ... View more

yes , i have fixed it by asking System administrator to change the 1st part of raw data from F5-Logging profile to the one which match with "f5_asm" format and it work =====> but found another issue with Addon (( Addone -F5 BigIp) didnot tag ASM-logs which will not be presented on Datamodels Or dashboards  so i make a new files at local folder props.conf  ### ASM ### [f5:bigip:asm:syslog] EVAL-attack_type = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) EVAL-category = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) and tags.conf   ### ASM ### [eventtype=f5_bigip_asm_syslog_attack] web = enabled communicate = enabled network = enabled attack = enabled ids = enabled [eventtype=f5_bigip_asm_syslog] web = enabled communicate = enabled network = enabled   AND eventtypes.conf   [f5_bigip_asm_syslog] search = sourcetype="f5:bigip:asm:syslog" (attack_type="N/A" OR NOT attack_type=*) [f5_bigip_asm_syslog_attack] search = sourcetype="f5:bigip:asm:syslog" (attack_type!="N/A" AND attack_type=*)    and now everything is working fine and data are tagged this should be added to addons in the next release @jonesnadiam  ... View more

yes , i have fixed it by asking System administrator to change the 1st part of raw data from F5-Logging profile to the one which match with "f5_asm" format and it work =====> but found another issue with Addon (( Addone -F5 BigIp) didnot tag ASM-logs which will not be presented on Datamodels Or dashboards  so i make a new files at local folder props.conf ### ASM ### [f5:bigip:asm:syslog] EVAL-attack_type = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) EVAL-category = if(isnull(attack_type) or attack_type="" or attack_type="N/A" or attack_type="-", null, attack_type) and tags.conf   ### ASM ### [eventtype=f5_bigip_asm_syslog_attack] web = enabled communicate = enabled network = enabled attack = enabled ids = enabled [eventtype=f5_bigip_asm_syslog] web = enabled communicate = enabled network = enabled   AND eventtypes.conf   [f5_bigip_asm_syslog] search = sourcetype="f5:bigip:asm:syslog" (attack_type="N/A" OR NOT attack_type=*) [f5_bigip_asm_syslog_attack] search = sourcetype="f5:bigip:asm:syslog" (attack_type!="N/A" AND attack_type=*)    and now every thing is working fine and data are tagged this should be added to addons in next release  ... View more

this is not an issue where to install the addon it is related to a raw data format which is not compatible with addon ... View more

From Apps > choose Manage Apps > search for Splunk CIM From Actions > Edit properties then Visible choose (Yes) CIM-Addon : will work normally ... View more

the same issue with F5-addons too when i change logging profile for F5 v15.1 as below options 1. F5 Logging Profile (Syslog ) ==> addon F5-big IP not working as log come in below format not like F5-addons format at props/transform files. 130>Sep 30 10:39:44 F5-01.*.com ASM:unit_hostname="F5-01.*.com" and F5-add on match only below format <131>Sep 12 23:53:50 F5-01.*.com ASM:f5_asm=Splunk-F5-AS when i change logging profile from F5 v15.1 to pre-define template format call "Splunk" 2.  F5 Logging Profile (Splunk) ==> logs come in duplicated event parameters when i change logging profile for F5 v15.1 to custom template at Splunk-Docs  Configure F5 Logging Profiles for ASM https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup 3. 2.  F5 Logging Profile (Custom template) ==> logs come in duplicated event parameters too ... View more