Never mind peeps, I got around it by using a SEDCMD on input to change the ASM: to ASM, then changed the transforms.conf such that "syslog_specific_data":"unit_hostname" became "syslog_specific_data","unit_hostname"
Now all is well.
... View more
Hope someone can help me here.
We are configuring Splunk for F5 Security and we can't get the field extractions to work properly. It's to do with the syslog data at the front of the string and this looks like it's taken care of in the delimiters in the appropriate transforms.conf however it does not appear to be doing its thing.
I have adjusted the asm extract to suite F5 OS v11. The transforms.conf entry is below: -
DELIMS = ","
FIELDS = "syslog_specific_data":"unit_hostname","management_ip_address","web_application_name","policy_name","policy_apply_date","violations","support_id","request_sta
The issue appears to be that the syslog_specific_data is delimited via a different delimiter (:) than the rest of the data - as such the field is being extracted as syslog_specific_data_unit_hostname with all the syslog data and the unit_hostname as one big field... this doesn't work very well with the app or anything else for that matter.
Has anyone else experienced this and if so how did you get around it? Did you manage to strip out the syslog data via a regex in the transforms.conf or something similar?
Example input being index is as below and we want the unit_hostname to be identified as blah.host.local
Feb 4 16:05:08 a.b.c.d Feb 4 16:04:24 blah.host.local ASM:"blah.host.local","a.b.c.d"," "," ","2014-02-04 15:00:40","Illegal URL length,Illegal request length,Illegal file type,Modified domain cookie(s)","12288077832457980502","alerted","404","w.x.y.z","GET","HTTPS","/robots.txt","GET /robots.txt HTTP/1.1\r\nHost: external.example.com\r\nConnection: close, TE\r\nTE: trailers\r\nUser-Agent: Mozilla/5.0 (compatible; Funnelback)""1""\r\n\r\n","","N/A","","","2014-02-04 16:04:24","Critical"
... View more
I'm trying to configure the Splunk for F5 Networks app and I'm getting stuck with the default send string. I can see that the iRule is getting hit and the syslog pool is getting hit but the only traffic getting to the splunk server is the 'default send string' heartbeat monitor traffic.
From what I've read, we need to configure a static route for the splunk server to be accessed via a TMM interface.
However I am not that familiar with F5 and have absolutely no idea how to do this.
I was hoping someone could enlighten me and - for others who may ask the question - them too.
Is this something that can be configured via the GUI or must it be done via the CLI?
As an example, our environment would run F5 v11.2.x
TMM interfaces are: -
Management interface is: -
Splunk server: -
How do I add a static route to the splunk server for management (ie. HSL) traffic to go via a TMM interface?
... View more