Forum Discussion

Altostratus

4 years ago

ASM Logging to Splunk Anomoly

Hello,

The ASM logs we're sending to Splunk have random (Splunk assigned?) field names. For example, violation_rating is named cn2 in Splunk, attack_type shows up as cs4, user_agent is called pm_fpua in Splunk, and so on.

Does anyone know if this is a Splunk issue or a logging profile issue?

The profile I inherited was configured with a logging format of Common Event Format (ArcSight) although we're talking to Splunk. I assumed changing it back to Key-Value Pairs (Splunk) might fix the issue but it's still jacked up.

Thanks,

Tone

No RepliesBe the first to reply

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

ASM Logging to Splunk Anomoly

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Query on source IP preservation for syslog traffic through F5 virtual server

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Related Content

routing to splunk for asm logging

Setting up F5 Telemetry Streaming with Splunk Cloud

Logging/Blocking possible prompt injection

How I did it - "Visualizing Data with F5 TS and Splunk"

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS