F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Code :

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
analytics
application delivery
application visibility and reporting
f5 iapps
iApps
security
splunk
visibility
  • Stephen_Mathez1's avatar
    Stephen_Mathez1
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2017

    I am seeing the following message repeated in /var/log/ltm:

    debug scriptd[32475]: 01420004:7: Stats Response for analytics 1486699800 1 fail

    (sometimes it is "0 fail", sometimes "1 fail")

    Also, /tmp is filling up with sesslist-* files and I am not seeing anything other than vanilla syslog on the Splunk side. Any suggestions for where to start troubleshooting?

    Running 11.5.3 HF2 with APM and using

    thanks

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 15, 2017

    @richard, in working in PM, looks like you needed to add the correct indexes when using the RBAC options. The splunk server was rejecting some of the tenant mapped index names.

     

  • richard_polyak's avatar
    richard_polyak
    Icon for Altocumulus rankAltocumulus
    Jan 13, 2017

    Yes I did try that with no luck.

     

    Below is my mapping

     

    ltm data-group internal vs_analytics-send_stats { app-service /Common/vs_analytics.app/vs_analytics records { application_mapping { data "{10000000000} {App Name~virtual_name~(.*)~Map~~} " } avr_commands {

     

    or mapping export string: ezEwMDAwMDAwMDAwfSB7QXBwIE5hbWV+dmlydHVhbF9uYW1lfiguKil+TWFwfn59IAo=

     

    And I tried removing the (.*) as well.

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 13, 2017

    Have you attempted to set search iRules = No under the Application Mapping Section?

     

    What does your app mapping section look like, can you send me your mapping export string?

     

  • richard_polyak's avatar
    richard_polyak
    Icon for Altocumulus rankAltocumulus
    Jan 13, 2017

    Keith so I did some testing today, and luckily I have a lightly used LB pair to work with.

     

    This LB has only 8 Virtual Servers with no special charters in the names or anything in the descriptions. Neither on the pools or nodes. Nodes are named via the IP. We are running 11.5.4 HF2.

     

    If I disable push configuration map then I receive a 200.

     

    This is the format for my Virtual Servers vs_fqdn_port, as an example vs_www.

     

    I went through all my profiles and I do not see anything out of the norm.

     

    Thx Rich

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 13, 2017

    do you have any ' [ ] etc in virtual descriptions? also try turning off search inside irules within the application mapping section.

     

  • richard_polyak's avatar
    richard_polyak
    Icon for Altocumulus rankAltocumulus
    Jan 13, 2017

    Keith,

     

    Great work on this iApp / Splunk app. I am testing this on about 10 pairs. about half I in splunk the are all the Virtual Servers are reporting up as a health of 0.00. What I am seeing in the F5 logs is the below response

     

    debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313060 1 400 debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313120 0 400 debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313120 1 400

     

    What should I be looking for to resolve this and return a 200?

     

    Thx Rich

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 11, 2017

    You have it configured correctly, will verify 12.1.1 APM session status in our lab.

     

  • Neil_David_Harr's avatar
    Neil_David_Harr
    Icon for Nimbostratus rankNimbostratus
    Jan 11, 2017

    I do not have that source, is this a configuration problem? As mentioned above I used .

     

    I configured the Push SessionDB stats (APM) to yes

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 11, 2017

    If you have APM sessions on the device you should be seeing that data now, index=* source=bigip.sessiondb