F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
- Jessicachi_3022Nimbostratus
Hello Ken,
Thank you so much for creating such a wonderful iAPP and splunk app. I would like to find out how I can turn off syslog information from being sent to splunk since it is consuming a lot of splunk data and we already have a separate syslog server. I tried to turn off the syslog feature from the iApp but it's telling that i can not perform the action because the vs/irule is being used. I also tried to disable the splunk-hec-syslog virtual server but that just prevent the F5 from sending any data to splunk. Do you think it's better to blacklist syslog information on splunk side? my 2nd question is regarding the healthscore calculation. I found that the caculation uses values such as app_device_uptime_health=1/0 but i could not figure out how you arrived at those values. could you please explain the process? thank you in advance!
- jspiglerj2rsolvesNimbostratus
Great app! Alot of potential for being the best ADC visibility app out there on splunk.
One thing I'm having issues with and I think its how the search was constructed is the Application Drill down dashboard, SSL Certificates panel. I can only return the latest certificate object, ssl profile that has been reported to splunk. The search is as follows
| tstats latest(all.cert_name), latest(all.cert_expiration_date), latest(all.cert_expiration_date_human),latest(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename latest(all.) AS * all. AS * | join host cert_name [| tstats latest(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * all. AS ] | join host profile_name [| tstats values(all.app), latest(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app
All of my cert objects, ssl profile objects and virtual profile objects are being reported correctly into splunk. It seems this search though only returns the latest (hence the latest command) ssl cert object and joins all post objects in the search. It then searches for the requested app. Unfortunately, if the app isn't associated with this ssl profile, you do not get any results. I think instead of latest, values should be used with the mvexpand command. I've replaced the search with this
| tstats values(all.cert_name), values(all.cert_expiration_date), values(all.cert_expiration_date_human),values(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename values(all.) AS * all. AS * | mvexpand cert_name | join host cert_name [| tstats values(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * all. AS ] | mvexpand profile_name | join host profile_name [| tstats values(all.app), values(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app
The only thing I'm working on now is how to properly bring in the cn and expiration date. Anytime I expand those out, I get 100s of results. Any suggestions would be great!
- mkolozs_236219Nimbostratus
Great APP! I installed v3.6.13 and Splunk app 1.0.0. Unfortunately, I only see partial data for Device Status dashboard. Missing fields are version, build, serial, platform. Any suggestion how to fix this? Other data are there in index=f5-default source =bigip.tmsh.system_status sourcetype = f5:bigip:status:iapp:json
Appreciate in advance.
- Stephen_Mathez1Nimbostratus
So, I was having connectivity issues which have now been resolved, but I am seeing the following error every 5 minutes. The file names rotate between _0, _1 and _2. The thing is, the files are there and world readable. Any idea what could be causing this?
Script (/Common/splunk.analytics-send_stats) generated this Tcl error: (script did not successfully complete: (could not read "/shared/tmp/splunk.analytics-stats_1": no such file or directory while executing "file size "$filename$currentfile"" ("foreach" body line 24) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" assign tenant, application, and tier
- The-messengerCirrostratus
Great iapp!
I removed an older version and configured the latest version. In the ltm logs I now see State response fail messages followed by several /Common/ir-splunk_analytics-hec-forwarder-udp-snmptrap - can't read "msg": no such variable while executing "string trimright $msg ",""
- whootangNimbostratus
yeah thanks Shayza, which ones are you referring to? yeah my HFC is setup changed the token a few times to make sure and still no luck
- Shayza_312029Nimbostratus
Ryzilla, I followed Ken recommendations. make sure the your HEC setup it right. In my case I was needed changed the auth token.
As I mentioned in my last post, now I have another issue.
Regards,
- whootangNimbostratus
am i having the same problem above running on v13, i followed the video tut and the pdf, but i assume im missing some fundamental setting but cant find it.
showing stats response from splunk 142340** 0 400 showing stats response from splunk 142340** 1 400
- The-messengerCirrostratus
Thanks!
- Ken_Bocchino_49Historic F5 Account
yes this also captures VCMP data, you need to install the iapp on the host system and on the guest systems, you will see guest details within the device cluster drilldown,