F5 Analytics iApp

Great iapp!

I removed an older version and configured the latest version. In the ltm logs I now see State response fail messages followed by several /Common/ir-splunk_analytics-hec-forwarder-udp-snmptrap - can't read "msg": no such variable while executing "string trimright $msg ",""

So, I was having connectivity issues which have now been resolved, but I am seeing the following error every 5 minutes. The file names rotate between _0, _1 and _2. The thing is, the files are there and world readable. Any idea what could be causing this?

Script (/Common/splunk.analytics-send_stats) generated this Tcl error: (script did not successfully complete: (could not read "/shared/tmp/splunk.analytics-stats_1": no such file or directory while executing "file size "$filename$currentfile"" ("foreach" body line 24) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" assign tenant, application, and tier

Great APP! I installed v3.6.13 and Splunk app 1.0.0. Unfortunately, I only see partial data for Device Status dashboard. Missing fields are version, build, serial, platform. Any suggestion how to fix this? Other data are there in index=f5-default source =bigip.tmsh.system_status sourcetype = f5:bigip:status:iapp:json

Appreciate in advance.

Great app! Alot of potential for being the best ADC visibility app out there on splunk.

One thing I'm having issues with and I think its how the search was constructed is the Application Drill down dashboard, SSL Certificates panel. I can only return the latest certificate object, ssl profile that has been reported to splunk. The search is as follows

| tstats latest(all.cert_name), latest(all.cert_expiration_date), latest(all.cert_expiration_date_human),latest(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename latest(all.) AS * all. AS * | join host cert_name [| tstats latest(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * all. AS ] | join host profile_name [| tstats values(all.app), latest(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app

All of my cert objects, ssl profile objects and virtual profile objects are being reported correctly into splunk. It seems this search though only returns the latest (hence the latest command) ssl cert object and joins all post objects in the search. It then searches for the requested app. Unfortunately, if the app isn't associated with this ssl profile, you do not get any results. I think instead of latest, values should be used with the mvexpand command. I've replaced the search with this

| tstats values(all.cert_name), values(all.cert_expiration_date), values(all.cert_expiration_date_human),values(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename values(all.) AS * all. AS * | mvexpand cert_name | join host cert_name [| tstats values(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * all. AS ] | mvexpand profile_name | join host profile_name [| tstats values(all.app), values(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app

The only thing I'm working on now is how to properly bring in the cn and expiration date. Anytime I expand those out, I get 100s of results. Any suggestions would be great!

Hello Ken,

Thank you so much for creating such a wonderful iAPP and splunk app. I would like to find out how I can turn off syslog information from being sent to splunk since it is consuming a lot of splunk data and we already have a separate syslog server. I tried to turn off the syslog feature from the iApp but it's telling that i can not perform the action because the vs/irule is being used. I also tried to disable the splunk-hec-syslog virtual server but that just prevent the F5 from sending any data to splunk. Do you think it's better to blacklist syslog information on splunk side? my 2nd question is regarding the healthscore calculation. I found that the caculation uses values such as app_device_uptime_health=1/0 but i could not figure out how you arrived at those values. could you please explain the process? thank you in advance!

Ken, thanks again for this iapp, very good! If installing on a VCMP host, that host will need a Self-IP configured, correct?

Has anyone else ran into these errors?

message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Its affecting my KPI generation. Wanted to see if anyone else is having this issue.

Hi,

Any one may notice a bug when enabling "Role Based Access Controls"? Every time that I'm enabling it the LTM is losing the connection to Splunk (status 400), after disabling it the LTM seceded to establish the connection.

Figured out my issue

message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Resource constraint from the CPU side of the house. datamodel summary searches were timing out because we didn't have enough cores allocated for the indexers.

Cheers!

I am having issues with missing data anytime I look through any of the various dashboards or search for data. It says that there are duplicate tenant values causing a conflict. Anyone have any idea what should be done to correct that?