You mentioned that you are using a heavy forwarder on the syslog server. I took a look at the app and in the props.conf section there is a set of transforms that operates on the syslog sourcetype that changes the sourcetype for the different types of events that the F5 generates:
TRANSFORMS-sourcetype=f5-dcfw,f5-syslog,f5-access
This means that you will have to install the app on the heavy forwarder so it can do this operation before the data gets indexed.
I didn't see any index specified in the app, so not sure what index you are putting the data into, but if you don't have rights to search all indexes by default, you might consider modifying the macros.conf file (on the search head) and putting index=foo (the index where the f5 data is) in front of the sourcetype. Something like:
definition = index=foo sourcetype="F5:AFM:Syslog"
After that as long as you have the app installed on your search head, you should be good to go.
,
... View more