Splunk using F5 Analytic iApp

I intentionally composed the question broadly in hopes it will spark interest from members in the DevCentral. However, it does not seem like there are that many members here porting the analytics from F5 to Splunk...at least not by the response I am seeing or the search results within the DevCentral community. Then again, it might just be me being a noob and not knowing the proper place to look for answers.

Anyway, I took the F5 Analytics lab @ Agility 2017, and found the F5 Dashboard in Splunk fascinating. It displays a whole bunch of information...provided you understand how to compose the REGEX statement within the Analytics iApp wizard. Once I got the proper REGEX defined, I started see the stats populating the Dashboard in Splunk. However, many of stats displayed are kind of cryptic, and there are no guides/glossary to explain about the stats. For example, when I go into application drilldown, it tells me the specific application health is at 30%, base on the data collected in the last 24 hours. So, is the dashboard telling me my application was down 70% of the time within the last 24 hours? How did it arrive at the 30% figure? What's the formula or stats it is deriving from to get to that %? When I change the time frame to the last 15 minutes, it still tells me the health is at 30%.

Then there's the TCP Error Health stats. There is a displayed in it, but what does it mean? Interface error, CRC errors, application RST errors or VLAN tagging discards? As a F5 administrator, when I look at the dashboard, and I see some concerning s, I need to know how to troubleshoot them. However, without the proper guide or explanation of what is seen on that Dashboard, the display becomes meaningless.

As I am doing a trial with Splunk, I did get some assistance with a Splunk Engineer. However, even he was perplexed with the animosity of the displayed information. We had to dig into the search index, find the source, drill into the selected fields, before we found the embedded complex formula which extracted the from the F5 KPI analytics. Even then, we still did not truly understand the assigned index value for the formula.

Within the F5 Dashboard in Splunk, there is not even a "Help" guide. When I click on "Help" in the dashboard, it is Splunk related. Do you know if there maybe a user guide for the F5 Dashboard in Splunk? I truly like how the analytic data is ported into Splunk. I want to create reports/Dashboard for different groups within my organization. I would like to create top level reports/dashboard showing management the of request/activities hitting the company's website. I want to have a custom dashboard for the security group, so that can look at ASM log activities. I want a health check dashboard for my in-house developers, so that can look at server load and server response time. I want to build a dashboard for my group, so they can look at the total connections, sessions, bandwidth, node health and status of the VIPs. However, if I don't have the ability to translates the displayed s, I will not deploy these custom dashboards, as I would not be able to answer the same questions that I do not currently have answers to.

Thank you.