F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
- The-messenger
Cirrostratus
Ken, have you considered this iapp for VCMP host reporting?
Sounds like an auth issue when sending the data to Splunk, make sure you have setup HEC correctly. Verify the auth token etc.
Shayza_312029Nimbostratus
Hi, I'm getting the following event, Log Level:notice Service: scriptd[20602] Status Code: 01420004 Event: Stats Response for SPLUNK 1488265770 0 400
I cannot see any device info in the dashboard.
Regarding to index=* | stats count by host source sourcetype index, I executed it. Seems that there is nothing. I do have regular syslog data in a different service (514), when for the dashboard I'm working with 8808.
Multiple partitions works without issue, the iApp is installed into common. Are you getting 200 OK status from the stats response? Are you seeing any device info in the device dashboard? can you do a index=* | stats count by host source sourcetype index?
- Shayza_312029
Hello,
I installed on my i5600, all configuration looks OK. I didn't find any error and in tcpdump I can see that the relevant syslog packets are sending.
The main problem is that I cannot see any relevant information about the i5600 (nothing).
I tried to work with asterisks on the regex, I thought that I may see something, but still, everything is blank. I may concern that it because that I'm working with partitions and the iApp was installed on Common.
someone had the change to make F5/Splunk integration with different partitions ?
Thanks, S
- Walter_Kacynski
Yes, I had it running on an Eval copy of Splunk.
whootangDoes anyone know if you can get this and the F5 App working on the free Splunk trial? i am trying to demo this to management before they sink the big coin for the cloud splunk instance.
Cheers R
VolvoT_308416Thanks for the reply. It was simple firewall issue.. F5 was unable to make a connection with the Splunk on 8088 port. Issue resolved...
There are several reasons you could be receiving the "fail" response. this message occurs when the stats send process is unable to get a clean response from the Splunk HEC endpoint. It could be as simple as a connectivity issue to the Splunk server, check to see if you can curl to the server curl -k https://. Verify your protocol type HTTP vs HTTPS. If that is good ensure that the indexes you are using align, i.e. if you're using RBAC a missing index could be the cause. You can also get more details viewing /shared/tmp/"iappname"-stats_output_0 to view the response from the Splunk server.
- VolvoT_308416
Hi,
We're also seeing similar logs in the /var/log/ltm. What could be the reason for failure ?
Thanks
