F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Code :

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
analytics
application delivery
application visibility and reporting
f5 iapps
iApps
security
splunk
visibility
  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Mar 19, 2018

    Just my LAB editions produce 1GB of data per day with ZERO application traffic. If you don't use the AVR feature then it depends on the number of virtuals that you have deployed.

     

  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Mar 19, 2018

    Does anyone have any sizing recommendations for using splunk with F5? I've got the free version of splunk and have overwhelmed it with just my non-prod LTMs (in an active/standby pair) - I've got four more pair and have no idea what I would be looking at as far as storage to request or size of splunk license I'd need. I've contacted splunk for a larger license for a POC but I don't know if the busier LTMs will send more data vs the less-busy LTMs (I presume so) or how much.

     

    I'd like to know what others have experienced here. This looks like an awesome tool but I won't get a blank check for licenses & storage. I have five pair of LTMs (so far) and would like to have at least a month's worth of historical data for trending. At least that's what I think - what's your experience?

     

  • cd-zbc's avatar
    cd-zbc
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2018

    Also please let me know if there is a better place to get support on this.

     

    Thank you

     

  • cd-zbc's avatar
    cd-zbc
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2018

    Hi Running 13.1.0.1 and I am not seeing the data in splunk I'm expecting to. I get the following.

     

    lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 0 fail

     

    lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 1 fail

     

    lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 2 fail

     

    I have tried to follow this thread to troubleshoot.

     

    Ran a curl command that responded with a web page

     

    Output file in /shared/tmp reports {"text":"Success","code":0}

     

    Not using rbac so using a default index and have verified the API key that is is correct. Not sure what do to next any help is appreciated.

     

  • The-messenger's avatar
    The-messenger
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2017

    Running 12.1.1, and the analytics iapp. I continue to get a repeating ltm entry Stats Response for splunk_analytics 1508851786 0 fail Stats Response for splunk_analytics 1508851786 1 fail Stats Response for splunk_analytics 1508851786 2 fail

     

    These 3 repeat with the numeric piece changing.

     

  • Jeff_Shuron_246's avatar
    Jeff_Shuron_246
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2017

    Ken, per your recommendation above I looked at the output from /shared/tmp/iapp_output_0, and see this: {"text":"Success","code":0}. I also did a curl from the f5 to the Splunk server and connected successfully. I'm still seeing fail messages in the ltm log, and none of the virtual servers or pools are showing in the Splunk dashboard.

     

    This is an awesome app, and I look forward to having it function properly.

     

    Thank you!

     

    UPDATE: Challenge resolved. I had to change from Direct Mapping to just Map and everything is now showing up.

     

  • chandrac_335830's avatar
    chandrac_335830
    Icon for Nimbostratus rankNimbostratus
    Oct 06, 2017

    Ken,

     

    Thank you very much for taking time to build really cool visualizations and iApp to send the data to Splunk. I went through all the Data Models you created and it is seriously lot of work.

     

    I do have a question, I understand F5 iApp can be configured to send data at 1/5/10/30 minute interval, which is capturing the state of the pool_member at that time. We configured it to send data every 5 minutes. Since F5 Health Checks frequency is every few seconds, we are not able to capture if a pool_member changed it's state one or more times within same 5 minute interval.

     

    Example: pool_member "ABC_LAB_Pool" availablility_state showing 3 "offline" events in last 24 hours, however based on SNMP traps that we received for the same pool_member suggests there were ~50 times pool_member health is changed from online to offline and offline to online within same last 24 hours time window.

     

    SNMP Traps that we are receiving on Pool Member state change:

     

    Oct 6 15:36:35 fa-f5-lab.abc.com fa-f5-lab.abc.com notice mcpd[7502]: 01070727:5: Pool /Common/ABC_LAB_Pool member /Common/abc1:8443 monitor status up. [ /Common/ABC_LAB_Pool: up, /Common/tcp: up ] [ was down for 0hr:0min:2sec ]

     

    Oct 6 15:36:35 fa-f5-lab.abc.com fa-f5-lab.abc.com notice mcpd[8191]: 01070727:5: Pool /Common/ABC_LAB_Pool member member /Common/abc2:8443 monitor status up. [ /Common/ABC_LAB_Pool member: up, /Common/ABC_LAB_Pool member: up, /Common/tcp: up ] [ was down for 0hr:0min:3sec ]

     

    I would like to know how I can capture number of offline/online events within 5 minute interval using F5 Analytics iApp?

     

    Please let me know if you need additional details regarding this question.

     

    Thank you very much for your help, really appreciated your support.

     

  • Aaron_Newberry's avatar
    Aaron_Newberry
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2017

    Ken, You have done a great job with the Analytics iApp and Splunk. I was wondering if you have done anything with Elastic Search & Kibana and an Analytics iApp

     

  • DanRin_326444's avatar
    DanRin_326444
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2017

    Hi,

     

    Our splunk license is only for 1GB of traffic a day, I've done some testing of an F5 guest on a Viprion running code version 11.6.1. We seem to be using about 400MB a day just from this one guest, which has almost no traffic traversing it.

     

    When I had all the options for logging enabled I used about 550MB a day. Now I've cut this down to only System statistics being enabled in the iapp and I still use about 400MB a day.

     

    The Viprion Guest currently has very minimal configuration (network config and a single LTM pool that is barely used).

     

    Is this level of data output as expected? I would ideally like to use this iapp on our production Viprion guests however I fear this will push us well over our splunk licensing.

     

    Regards, Dan