I am working right now to collect logs from F5 BIG-IP. I have a distributed Splunk Infrastructure: Heavy Forwarder, Indexer & Search Head. I installed the Splunk Add-on for F5 BIG-IP in the Search Head and Heavy Forwarer instances as recommended in Splunk documentation here: https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Install
Then, i discovered that Splunk Add-on for F5 BIG-IP is not separating sourcetypes as expected !!!
Also, maybe the last version of the Add-on for F5 BIG-IP (4.0.1) doesn't work with the version 16.0.0 of my F5 firewall. I read that somewhere ... But i am not sure about it!
Anyone have an idea please? Or, when the Add-On will be updated to support it.
PS : I'am working with Splunk Entreprise v8.0.4