Forum Discussion

Vincent_96223's avatar
Aug 22, 2017

Splunk using F5 Analytic iApp

I posted a question on using the iApp Analytic to port data into Splunk about two weeks ago and it did not get any response. Looks like there is very little information on how to fully utilize the information ported in Splunk from F5. Just wondering if there are any experts out there who can help me understand the information presented on the F5 Dashboard in Splunk?

 

  • the question is rather broad, is there anything specific or do you want a full walk through? in principle splunk just shows what the F5 can also show, so if you understand the F5 you should be able to understand splunk.

     

    if you have specific questions i would put them here with if needed sanitized screenshots.

     

    if you want a full walk through then it might be wiser to contact a local F5 partner or F5 themselves and see if they can assist.

     

  • I intentionally composed the question broadly in hopes it will spark interest from members in the DevCentral. However, it does not seem like there are that many members here porting the analytics from F5 to Splunk...at least not by the response I am seeing or the search results within the DevCentral community. Then again, it might just be me being a noob and not knowing the proper place to look for answers.

     

    Anyway, I took the F5 Analytics lab @ Agility 2017, and found the F5 Dashboard in Splunk fascinating. It displays a whole bunch of information...provided you understand how to compose the REGEX statement within the Analytics iApp wizard. Once I got the proper REGEX defined, I started see the stats populating the Dashboard in Splunk. However, many of stats displayed are kind of cryptic, and there are no guides/glossary to explain about the stats. For example, when I go into application drilldown, it tells me the specific application health is at 30%, base on the data collected in the last 24 hours. So, is the dashboard telling me my application was down 70% of the time within the last 24 hours? How did it arrive at the 30% figure? What's the formula or stats it is deriving from to get to that %? When I change the time frame to the last 15 minutes, it still tells me the health is at 30%.

     

    Then there's the TCP Error Health stats. There is a displayed in it, but what does it mean? Interface error, CRC errors, application RST errors or VLAN tagging discards? As a F5 administrator, when I look at the dashboard, and I see some concerning s, I need to know how to troubleshoot them. However, without the proper guide or explanation of what is seen on that Dashboard, the display becomes meaningless.

     

    As I am doing a trial with Splunk, I did get some assistance with a Splunk Engineer. However, even he was perplexed with the animosity of the displayed information. We had to dig into the search index, find the source, drill into the selected fields, before we found the embedded complex formula which extracted the from the F5 KPI analytics. Even then, we still did not truly understand the assigned index value for the formula.

     

    Within the F5 Dashboard in Splunk, there is not even a "Help" guide. When I click on "Help" in the dashboard, it is Splunk related. Do you know if there maybe a user guide for the F5 Dashboard in Splunk? I truly like how the analytic data is ported into Splunk. I want to create reports/Dashboard for different groups within my organization. I would like to create top level reports/dashboard showing management the of request/activities hitting the company's website. I want to have a custom dashboard for the security group, so that can look at ASM log activities. I want a health check dashboard for my in-house developers, so that can look at server load and server response time. I want to build a dashboard for my group, so they can look at the total connections, sessions, bandwidth, node health and status of the VIPs. However, if I don't have the ability to translates the displayed s, I will not deploy these custom dashboards, as I would not be able to answer the same questions that I do not currently have answers to.

     

    Thank you.

     

  • wow that is very large reply, thank you for taking the time and explaining. it has been a while i used splunk and the iapp so i wasn't aware of all this.

     

    i don't have a straight up answer but you visited a session on this at agility 2017, do you remember the people who presented? they usually put up their contacts, that feels like a possible step to get further.

     

  • Looking at the lab guide, I see the instructor's name, but no contacts. I may be able to find him on linkedln or F5 website directly. If F5 is promoting their API interface into Splunk, they need to do a better job on supporting the Dashboard. Right now, they are only showing how to port the analytics from F5 to Splunk, but no elaboration on using the visual data on the dashboard. I am hoping someone in DevCentral might have the ability to fill the void...