F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
M_QuevedoNimbostratus
Hi Benoit, you must unzip an iApp template before you upload it (that is, you can only import an uncompressed file like
not a ZIP file likef5.analytics.v3.7.0.tmpl
).iapps-1.0.0.444.0-1.ziphello,
thanks for the iApp. I'm trying to install it and integrate F5 with Splunk but I get the following error message: Loading configuration... /tmp/upload_template.tmpl Syntax Error:(/tmp/upload_template.tmpl at line: 1) "PK" unexpected argument
Is there any restriction on the TMOS version (I'm running 12.1.0) or the versions (virtual, LTM only, GBB licenses) ?
Thanks in advance
Benoit
juanHello. If I try to create an Application using that template I get this error: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message. We've got licensed as Nominal: DNS, AVR and LTM on virtual device running 12.1.1 version. Thank you!.
richard_polyakAltocumulus
Ken,
I know this is released to supported iapps, but I have installed 3.7.0 and I overwrite as recommended, but I am now getting a fail message. I can switch back to 3.16.13 without issue and all will work fine. Any differences in Splunk app that I have to address going to 3.7.0?
Thx
Sorry for the late reply to some of these questions, from the bottom up:
Duplicate values causing conflict: This will not break anything but is related to the fact that all of your mapped applications have a tenant set to "" (blank) which is a static value in the dropdown labeled "Unknown". To correct this ensure you're mapping to some tenant value, you can do this by setting the default tenant within the iApp deployment.
RBAC & 400 messages: When RBAC is used we using the mapping of the tenant + the configured prefixes etc within the RBAC section of the iApp to set the index when sending data to the Splunk HEC. Note, if the indexes are not defined within Splunk or the HEC Token is not allowed to write to those indexes then Splunk will respond with 400 not authorized.
vCMP host requirements: stats are sent via the management port by default. event messages are transformed within TMM and sent via a self-IP. So without a Self-IP you will only get statistics of the vCMP host system.
Latest Cert: wil get back to you on this one
Missing version info: would suggest loading the support 3.7.0 version and opening a bug if it persists.
File Error: have seen this when there are connectivity issues / timeouts when communicating to the splunk server.
- mwsmith87
I am having issues with missing data anytime I look through any of the various dashboards or search for data. It says that there are duplicate tenant values causing a conflict. Anyone have any idea what should be done to correct that?
jspiglerj2rsolvesFigured out my issue
message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
Resource constraint from the CPU side of the house. datamodel summary searches were timing out because we didn't have enough cores allocated for the indexers.
Cheers!
- Shayza_312029
Hi,
Any one may notice a bug when enabling "Role Based Access Controls"? Every time that I'm enabling it the LTM is losing the connection to Splunk (status 400), after disabling it the LTM seceded to establish the connection.
- jspiglerj2rsolves
Has anyone else ran into these errors?
message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
Its affecting my KPI generation. Wanted to see if anyone else is having this issue.
- The-messenger
Cirrostratus
Ken, thanks again for this iapp, very good! If installing on a VCMP host, that host will need a Self-IP configured, correct?
