I need an irule to log HTTP traffic to SPLUNK to capture the originating IP address before it get's NAT'd

We do something similar. I'm sure it could be optimized, but it works:

when SERVER_CONNECTED {
  set client_remote "[IP::client_addr]:[TCP::client_port]"
  set client_local  "[IP::local_addr clientside]:[TCP::local_port clientside]"
  set server_local  "[IP::local_addr]:[TCP::local_port]"
  set server_remote "[IP::server_addr]:[TCP::server_port]"
  log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server"
}

Thanks Cory. I'm going to give this a try.

In the HTTP profile you can also enable the injection of response header "X-FORWADED-FOR" which the backend server can then log too.

I take it you're looking for a logging function - sending the data to Splunk. The X-Forwarded-For option is for inserting an HTTP header in the request to the application server. You can certainly use the [IP::client_addr] command in mostly any of the client side events (ie. CLIENT_ACCEPTED, HTTP_REQUEST, etc.), and you'll most likely also want to do this with High Speed Logging in lieu of standard "log local" functions:

https://devcentral.f5.com/wiki/iRules.HSL__send.ashx

If you can move up to (at least) 11.1, you can also just build a request logging profile and completely skip the iRules:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-3-0/1.html?sr=31972321