F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Code :

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
analytics
application delivery
application visibility and reporting
f5 iapps
iApps
security
splunk
visibility
  • richard_polyak's avatar
    richard_polyak
    Icon for Altocumulus rankAltocumulus
    Jan 13, 2017

    Keith so I did some testing today, and luckily I have a lightly used LB pair to work with.

     

    This LB has only 8 Virtual Servers with no special charters in the names or anything in the descriptions. Neither on the pools or nodes. Nodes are named via the IP. We are running 11.5.4 HF2.

     

    If I disable push configuration map then I receive a 200.

     

    This is the format for my Virtual Servers vs_fqdn_port, as an example vs_www.

     

    I went through all my profiles and I do not see anything out of the norm.

     

    Thx Rich

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 13, 2017

    Have you attempted to set search iRules = No under the Application Mapping Section?

     

    What does your app mapping section look like, can you send me your mapping export string?

     

  • richard_polyak's avatar
    richard_polyak
    Icon for Altocumulus rankAltocumulus
    Jan 13, 2017

    Yes I did try that with no luck.

     

    Below is my mapping

     

    ltm data-group internal vs_analytics-send_stats { app-service /Common/vs_analytics.app/vs_analytics records { application_mapping { data "{10000000000} {App Name~virtual_name~(.*)~Map~~} " } avr_commands {

     

    or mapping export string: ezEwMDAwMDAwMDAwfSB7QXBwIE5hbWV+dmlydHVhbF9uYW1lfiguKil+TWFwfn59IAo=

     

    And I tried removing the (.*) as well.

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Jan 15, 2017

    @richard, in working in PM, looks like you needed to add the correct indexes when using the RBAC options. The splunk server was rejecting some of the tenant mapped index names.

     

  • Stephen_Mathez1's avatar
    Stephen_Mathez1
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2017

    I am seeing the following message repeated in /var/log/ltm:

    debug scriptd[32475]: 01420004:7: Stats Response for analytics 1486699800 1 fail

    (sometimes it is "0 fail", sometimes "1 fail")

    Also, /tmp is filling up with sesslist-* files and I am not seeing anything other than vanilla syslog on the Splunk side. Any suggestions for where to start troubleshooting?

    Running 11.5.3 HF2 with APM and using

    thanks

  • VolvoT_308416's avatar
    VolvoT_308416
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2017

    Hi,

     

    We're also seeing similar logs in the /var/log/ltm. What could be the reason for failure ?

     

    Thanks

     

  • Ken_Bocchino_49's avatar
    Ken_Bocchino_49
    Historic F5 Account
    Feb 21, 2017

    There are several reasons you could be receiving the "fail" response. this message occurs when the stats send process is unable to get a clean response from the Splunk HEC endpoint. It could be as simple as a connectivity issue to the Splunk server, check to see if you can curl to the server curl -k https://. Verify your protocol type HTTP vs HTTPS. If that is good ensure that the indexes you are using align, i.e. if you're using RBAC a missing index could be the cause. You can also get more details viewing /shared/tmp/"iappname"-stats_output_0 to view the response from the Splunk server.

     

  • VolvoT_308416's avatar
    VolvoT_308416
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2017

    Thanks for the reply. It was simple firewall issue.. F5 was unable to make a connection with the Splunk on 8088 port. Issue resolved...

     

  • whootang's avatar
    whootang
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2017

    Does anyone know if you can get this and the F5 App working on the free Splunk trial? i am trying to demo this to management before they sink the big coin for the cloud splunk instance.

     

    Cheers R