F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
Shayza_312029Nimbostratus
Hello,
I installed on my i5600, all configuration looks OK. I didn't find any error and in tcpdump I can see that the relevant syslog packets are sending.
The main problem is that I cannot see any relevant information about the i5600 (nothing).
I tried to work with asterisks on the regex, I thought that I may see something, but still, everything is blank. I may concern that it because that I'm working with partitions and the iApp was installed on Common.
someone had the change to make F5/Splunk integration with different partitions ?
Thanks, S
Multiple partitions works without issue, the iApp is installed into common. Are you getting 200 OK status from the stats response? Are you seeing any device info in the device dashboard? can you do a index=* | stats count by host source sourcetype index?
- Shayza_312029
Hi, I'm getting the following event, Log Level:notice Service: scriptd[20602] Status Code: 01420004 Event: Stats Response for SPLUNK 1488265770 0 400
I cannot see any device info in the dashboard.
Regarding to index=* | stats count by host source sourcetype index, I executed it. Seems that there is nothing. I do have regular syslog data in a different service (514), when for the dashboard I'm working with 8808.
Sounds like an auth issue when sending the data to Splunk, make sure you have setup HEC correctly. Verify the auth token etc.
- The-messenger
Cirrostratus
Ken, have you considered this iapp for VCMP host reporting?
yes this also captures VCMP data, you need to install the iapp on the host system and on the guest systems, you will see guest details within the device cluster drilldown,
- The-messenger
Thanks!
whootangam i having the same problem above running on v13, i followed the video tut and the pdf, but i assume im missing some fundamental setting but cant find it.
showing stats response from splunk 142340** 0 400 showing stats response from splunk 142340** 1 400
- Shayza_312029
Ryzilla, I followed Ken recommendations. make sure the your HEC setup it right. In my case I was needed changed the auth token.
As I mentioned in my last post, now I have another issue.
Regards,
- whootang
yeah thanks Shayza, which ones are you referring to? yeah my HFC is setup changed the token a few times to make sure and still no luck
