F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Code :

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
analytics
application delivery
application visibility and reporting
f5 iapps
iApps
security
splunk
visibility
  • ST_Wong's avatar
    ST_Wong
    Icon for Cirrus rankCirrus
    May 29, 2017

    Hello,

     

    We followed steps in the guide and deploying v3.7.0 with Splunk 6.5.3. There is no event sent to Splunk. Seems the SSL handshake can't complete due to unknown CA error. See following in Splunk about complaint from LTM with v3.7.0 deployed:

     

    error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

     

    As we're using default server certs on Splunk, can we add the cert to trust CA list on LTM and how? Thanks a lot.

     

    Regards

     

  • csiggy_246069's avatar
    csiggy_246069
    Icon for Nimbostratus rankNimbostratus
    May 26, 2017

    Hello,

     

    I followed the steps in both the guide and offered video--great btw; but Splunk will not show any data on the Application tab, nothing at all from LTM. AFM (Network Firewall) sections produce data and so do the Administration -> Device Health etc. User Access tab provides nothing as well.

     

    Please advise, if possible.

     

    Thank you.

     

  • Mrwillbaclimon's avatar
    Mrwillbaclimon
    Icon for Altocumulus rankAltocumulus
    May 21, 2017

    Does anyone have a link or can suggest a recommend Regex for Application Mapping? Essentially I would like to group VIPS together as a common application name.

     

    For Example

     

    1.VIP App1 VIP 1 and 2 are named Master App 2.VIP App1

     

    3.VIP App2 VIP 3 and 4 are named Minor App 4.Vip App2

     

  • M_Quevedo's avatar
    M_Quevedo
    Icon for Nimbostratus rankNimbostratus
    May 20, 2017

    DRJ-- Please open an case with F5 Support to report your issue. A qkview files before and after the scriptd crash will help us diagnose and correct the problem.

     

  • DRJ's avatar
    DRJ
    Icon for Altocumulus rankAltocumulus
    May 19, 2017

    Has anyone had an issue with this causing scriptd to crash/core when trying to reconfigure or re-install on 12.1.2 HF1? This iApp was working for a few weeks, we've updated to HF1 and it has now failed on 4 out of 5 boxes, though to be fair it hadn't been reconfigured for a while so MIGHT not be related to HF1. Failure is much like this https://support.f5.com/csp/article/K14959

     

  • prakash321_3157's avatar
    prakash321_3157
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2017

    Have installed f5-Networks analytics splunk app recently,

     

    The Device Dashboard always show- Sync Status/ Sync Summary - Changes pending We have 2-f5-bigip devices in a group we created, one should show changes-pending and other should not as expected...

     

    This is our workflow..... F5(iApp)------>Splunk HF(HEC)-------->Indexer--------->SH

     

    Do we need to look at the iAPP f5-configuration or any Splunk configs to make sure the data in real time....??

     

  • Benoit_C_'s avatar
    Benoit_C_
    Apr 13, 2017

    Hi,

     

    indeed I found the way to import it in the meantime, I went too fast in posting, I had in mind that we have to do a bulk import.

     

    thanks for the reply!

     

    Br,

     

    Benoit

     

  • M_Quevedo's avatar
    M_Quevedo
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2017

    Hi richard.polyak,

     

    Please open a Support case with f5 and indicate that you are having trouble with the Analytics iApp v3.7.0.

     

    Without knowing what sort of error message you're seeing and without any other context it is difficult to give you specific advice here.

     

  • M_Quevedo's avatar
    M_Quevedo
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2017

    Hi Juan,

     

    Your BIG-IP configuration probably has a very large number of some LTM objects such as pool members which the iApp is trying to display in a single huge list, therefore hitting f5 issue ID435592 which yields that "16908375, 01020057:3:" error.

     

    F5 may be able to adjust the iApp to avoid hitting that problem. Please open a Support case with f5 and tell Support you are having trouble with the Analytics iApp v3.7.0. Support will request a qkview file and the information in it will help us analyze your difficulty.