F5 irule - Failing to include the key from subtable in the generated log message

After

set key [HTTP::header "MSISDN"]

Try setting

log local0. the value of key is $key

To see if you're even setting the variable properly.

ekailado: Please elaborate since i already have " log local0. "User @ $key ....." set

Hi,

if the header is not found, all the irule is useless. that's why ekailado asked to log the key value first.

your irule format is wrong:

instead of using

if { condition } {
    actions
} else {
    if {other conditions} {
        other actions 
    } else {
        if {another condition }
            ...
        }
    }
}

use:

if { condition } {
    actions
} elseif {other conditions} {
        other actions 
} elseif {another condition }
            ...
}

another optimization is the last condition is wrong...

if there is more than 5 requests, there is no more logs. is it the expected behavior?

key is not the only string not in log... [clock seconds] result does dot appears.

I disagree just slightly with @Stanislas here. While your conditional structure is perhaps more unwieldy than the proposed alternative, it isn't functionally incorrect to do it your way, nor is computationally more (or less) expensive.

For posterity, I'm re-including your iRule, formatted for improved readability:

when RULE_INIT {
    set static::maxRate 5
    set static::timeout 60
}

when HTTP_REQUEST { 
    set key [HTTP::header "MSISDN"]
    set getCount [table lookup -notouch -subtable requests $key] 
    
    if { $getCount equals "" } { 
         log local0. "New one: getCount=$getCount $key [clock seconds]" 
        table set -subtable requests $key "1" $static::timeout $static::timeout 
    } else { 
        if { $getCount < $static::maxRate } { 
            table incr -notouch -subtable requests $key] 
        } else { 
            if { $getCount == $static::maxRate } { 
                log local0. "User @ $key [clock seconds] has reached $getCount requests in $static::timeout seconds." table incr -notouch -subtable requests $key 
            }
        }
    }
}

Far more importantly, and just as @Stanislas says, it's most likely that the MSISDN header is simply missing. You will, in that case, still write a table entry. The key will be the empty string. Here is an alternative (not tested!):

when RULE_INIT {
    set static::maxRate 5
    set static::timeout 60
}

when HTTP_REQUEST {
    if { [HTTP::header exists MSISDN] } {
        set key "count-msisdn-[HTTP::header MSISDN]"
        set count [table incr $key]
        
        if { $count == 1 } {
             do this to set the timeout and lifetime, overriding 'table incr' defaults
            table set $key 1 $static::timeout $static::timeout
        } elseif { $count == $static::maxRate } {
            log local0. "User @ $key has reached $count requests in $static::timeout seconds."
            reject
        } elseif { $count > $static::maxRate } {
            reject
        }
    }
}

I'm just assuming you wish to reject when the threshold is met. Naturally, you can do whatever you wish. Notice I perform a table incr then see if it is 1 (which it will be if it didn't previously exist). In your code, you perform two table commands for each request message. My code executes two table commands only for the first request with a given MSISDN in a single interval period. For subsequent requests with that same MSISDN in the same period, only a single table command is executed. table commands are somewhat expensive, so reducing the count is useful. Notice, further, that I dropped the -notouch. Since your lifetime is the same as your timeout, the -notouch (which only relates to the timeout) shouldn't be needed. Finally, I moved this from a sub-table to the main table. In general, sub-tables should only be used if you need to enumerate the keys.

I cut the clock seconds because clock operations are also fairly expensive, and the syslog entry will be timestamped automatically. For production, I'd recommend using High-Speed Logging rather than local logging.