Forum Discussion
Thomas_Gobet
Nimbostratus
NimbostratusPool status in Splunk for F5 Networks
Hi all,
I made some tests on Splunk with the 11.5.0 TMOS version.
My tests were on AFM, LTM and also syslog events.LTM (with the iRule included) and AFM work fine, but for syslog events there's something wrong.
If you want to have your pool status statistics on your Splunk, you have to parse syslog events.
But those events have changed with the 11.5.0 version so here is the newest regex you'll need./\]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+)\.\s?\[?\s?(?:\S+)?\:?\s?(?:\S+)?\s?\]?\s+?\[\swas\s(\S+)\sfor\s(\S+)/I still have something missing into my Splunk configuration because I don't have all my pool status.
If anybody has already play with it, could you tell me where I'm wrong ?
Thanks.
I tried the following to see if it would grab it, but no luck yet...
In Splunk my syslog message was <133>1 2014-09-19T15:29:05-06:00 localhost.localdomain mcpd 6649 01070727:5: [F5@12276 hostname="localhost.localdomain" errdefs_msgno="01070727:5:"] Pool /Common/dvwa_pool member /Common/192.168.0.217:80 monitor status up. [ /Common/dvwa_monitor: up ] [ was down for 0hr:0min:10sec ]
My RegEX = REGEX = /\serrdefs_msgno="(........:.)\S+\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+).\s?[?\s?(?:\S+)?:?\s?(?:\S+)?\s?]?\s+?[\swas\s(\S+)\sfor\s(\S+)/
In RegEx teter it loks good, but no joy here. I will keep trying....
S__Kalynuk_1952For TMOS 11.5.1, I created a local/transforms.conf file with an updated REGEX that works:
[f5-syslog-eventcode] REGEX = \]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s\S+\.\s\[\s(\S+)\:\s(\S+)\s\]\s\s\[\swas\s(\S+)\sfor\s(\S+) FORMAT = event_code::$1 ltm_pool::$2 ltm_member::$3 ltm_monitor::$4 ltm_monitor_status::$5 ltm_prevstatus::$6 ltm_prevstatus_time::$7I added the ltm_monitor field although it isn't used by the app. The ltm_monitor_status is also extracted after the ltm_monitor field rather than after the "status" keyword.
