F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
Sorry for the late reply to some of these questions, from the bottom up:
Duplicate values causing conflict: This will not break anything but is related to the fact that all of your mapped applications have a tenant set to "" (blank) which is a static value in the dropdown labeled "Unknown". To correct this ensure you're mapping to some tenant value, you can do this by setting the default tenant within the iApp deployment.
RBAC & 400 messages: When RBAC is used we using the mapping of the tenant + the configured prefixes etc within the RBAC section of the iApp to set the index when sending data to the Splunk HEC. Note, if the indexes are not defined within Splunk or the HEC Token is not allowed to write to those indexes then Splunk will respond with 400 not authorized.
vCMP host requirements: stats are sent via the management port by default. event messages are transformed within TMM and sent via a self-IP. So without a Self-IP you will only get statistics of the vCMP host system.
Latest Cert: wil get back to you on this one
Missing version info: would suggest loading the support 3.7.0 version and opening a bug if it persists.
File Error: have seen this when there are connectivity issues / timeouts when communicating to the splunk server.
richard_polyakAltocumulus
Ken,
I know this is released to supported iapps, but I have installed 3.7.0 and I overwrite as recommended, but I am now getting a fail message. I can switch back to 3.16.13 without issue and all will work fine. Any differences in Splunk app that I have to address going to 3.7.0?
Thx
juanNimbostratus
Hello. If I try to create an Application using that template I get this error: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message. We've got licensed as Nominal: DNS, AVR and LTM on virtual device running 12.1.1 version. Thank you!.
hello,
thanks for the iApp. I'm trying to install it and integrate F5 with Splunk but I get the following error message: Loading configuration... /tmp/upload_template.tmpl Syntax Error:(/tmp/upload_template.tmpl at line: 1) "PK" unexpected argument
Is there any restriction on the TMOS version (I'm running 12.1.0) or the versions (virtual, LTM only, GBB licenses) ?
Thanks in advance
Benoit
M_QuevedoHi Benoit, you must unzip an iApp template before you upload it (that is, you can only import an uncompressed file like
not a ZIP file likef5.analytics.v3.7.0.tmpl
).iapps-1.0.0.444.0-1.zip- M_Quevedo
Hi Juan,
Your BIG-IP configuration probably has a very large number of some LTM objects such as pool members which the iApp is trying to display in a single huge list, therefore hitting f5 issue ID435592 which yields that "16908375, 01020057:3:" error.
F5 may be able to adjust the iApp to avoid hitting that problem. Please open a Support case with f5 and tell Support you are having trouble with the Analytics iApp v3.7.0. Support will request a qkview file and the information in it will help us analyze your difficulty.
- M_Quevedo
Hi richard.polyak,
Please open a Support case with f5 and indicate that you are having trouble with the Analytics iApp v3.7.0.
Without knowing what sort of error message you're seeing and without any other context it is difficult to give you specific advice here.
Hi,
indeed I found the way to import it in the meantime, I went too fast in posting, I had in mind that we have to do a bulk import.
thanks for the reply!
Br,
Benoit
prakash321_3157Have installed f5-Networks analytics splunk app recently,
The Device Dashboard always show- Sync Status/ Sync Summary - Changes pending We have 2-f5-bigip devices in a group we created, one should show changes-pending and other should not as expected...
This is our workflow..... F5(iApp)------>Splunk HF(HEC)-------->Indexer--------->SH
Do we need to look at the iAPP f5-configuration or any Splunk configs to make sure the data in real time....??
DRJHas anyone had an issue with this causing scriptd to crash/core when trying to reconfigure or re-install on 12.1.2 HF1? This iApp was working for a few weeks, we've updated to HF1 and it has now failed on 4 out of 5 boxes, though to be fair it hadn't been reconfigured for a while so MIGHT not be related to HF1. Failure is much like this https://support.f5.com/csp/article/K14959
