HSL Logging - Filtering it so that you only get the connection information

Question

I have set up the following:
Log Filter (emergency severity-source all)Log Destination (pointing to pool that contains splunk server)Log Publisher (points to splunk_db)
I setup the following iRule on the VS:
when CLIENT_ACCEPTED {
    set hsl [HSL::open -proto TCP -pool splunk_9997]
}
when HTTP_REQUEST {
    HSL::send $hsl "Request from external user - [IP::client_addr] to [HTTP::host][HTTP::uri]
"
}

But when i look at the splunk server i am seeing log data for each png file they are requesting etc. I really just need the initial connection and that is it. Basically i want to see the following:
Request from external user - 172.16.148.2 to www.company.com/etc
Is this possible?

arie · Answer

You're facing two challenges:&nbsp;
Each user may open several connections.A user may make multiple requests on the same connection.
You have a number of options to cut down on the log traffic:&nbsp;
Log only connections (CLIENT_ACCEPTED). This would of course not log the requests. However, you could set a flag (semaphore) that you can then use it to log the first request in HTTP_REQUEST.Limit logging to requests without an extension and known pages.

Forum Discussion

HSL Logging - Filtering it so that you only get the connection information

1 Reply

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Does F5 rSeries 4600 support 3rd Party SFP

no upload file .docx

F5 LACP

F5 BGP Peering in Active /Standby Cluster

AS3 Storage

Related Content

External Monitor Information and Templates

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Find CVE information on AskF5

DevCentral Connects Recap: Open Finance, APIs, AI & Security

Mitigate OWASP LLM Security Risk: Sensitive Information Disclosure Using F5 NGINX App Protect

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS