Forum Discussion

The-messenger_1's avatar
The-messenger_1
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

Session variables available to splunk

We have been working to get Big-ip data, usable, into splunk. Working with our splunk engineer, we've found that splunk does not have all the data the I get with sessiondump --allkeys. Splunk is getting data from syslog and the analytics app via highspeed logging.

 

There will be lots of data that we'll want to explore with Splunk but my initial work is for APM session data. It would be very good, for example, to give our help desk a dashboard for OWA, ActiveSync, Sharepoint other services that employees use.

 

Using APM Session data to start with, is there data that cannot be pushed to splunk? If so, why is that? If not, what do I need to do to get all session data into splunk?

 

  • perhaps already solved, if not this might be useful.

    what is your APM logging profile currently? check at Access Policy ›› Access Profiles : Access Profiles List: Logs (last tab).

    you can create a new logging profile with more logging turned on. if splunk just receives the APM log data you should get more, i see for example in that log file

    Aug 22 20:05:09 bigip-01 info apmd[19436]: 01490007:6: /Common/ap:Common:c3356c01: Session variable 'session.logon.last.username' set to 'test'

  • i wouldn't know exactly what isn't pushed, but if you need something specific you can write an irule and have it send at some point towards splunk.

     

    i sort of understand you want more data, but wanting all without a clear idea what do then is perhaps not the best approach.