F5 Analytics iApp
Problem this snippet solves:
Analytics iApp v3.7.0
You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.
The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.
Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.
While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.
Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.
Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)
Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine
Splunk App: https://apps.splunk.com/apps/id/f5
The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf
Code :
https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
95 Comments
cd-zbcNimbostratus
Hi Running 13.1.0.1 and I am not seeing the data in splunk I'm expecting to. I get the following.
lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 0 fail
lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 1 fail
lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 2 fail
I have tried to follow this thread to troubleshoot.
Ran a curl command that responded with a web page
Output file in /shared/tmp reports {"text":"Success","code":0}
Not using rbac so using a default index and have verified the API key that is is correct. Not sure what do to next any help is appreciated.
- cd-zbc
Also please let me know if there is a better place to get support on this.
Thank you
- Walter_Kacynski
Cirrostratus
This is fully supported and you can open a case against it.
- AlanMoen
Cirrus
Does anyone have any sizing recommendations for using splunk with F5? I've got the free version of splunk and have overwhelmed it with just my non-prod LTMs (in an active/standby pair) - I've got four more pair and have no idea what I would be looking at as far as storage to request or size of splunk license I'd need. I've contacted splunk for a larger license for a POC but I don't know if the busier LTMs will send more data vs the less-busy LTMs (I presume so) or how much.
I'd like to know what others have experienced here. This looks like an awesome tool but I won't get a blank check for licenses & storage. I have five pair of LTMs (so far) and would like to have at least a month's worth of historical data for trending. At least that's what I think - what's your experience?
- Walter_Kacynski
Just my LAB editions produce 1GB of data per day with ZERO application traffic. If you don't use the AVR feature then it depends on the number of virtuals that you have deployed.
loremipsum_3566Ken - Great App and even better documentation/information to go along with it. A large joint customers of ours (over 100+ F5 appliances) is very much interested in deploying this app. However, their F5 administration team wants a non-iApp way of creating the underlying framework/template (apologies if my understanding/terminology is off here) necessary to send to data to HEC/Splunk. Its due to some internal policies they have in place where they just can't use anything with iApps as that makes upgrades more difficult? Any pointers you can offer for the same are much appreciated! Thanks
DBFor those who were receiving the "Stats Response for Splunk xxxxxxxx 0 fail" log messages, I just deployed this iApp today and had the same issue, ran a TCPDUMP to capture the traffic to/from my HEC destination and found the F5 was sending the requests out but getting nothing back, determined from the TCPDUMP that the source address indicated the data was going out the wrong interface, and had to add a route (old traditional LTM Network/Route) to point to my HEC instance out the right interface. That solved this problem for me.
Got the data populating just fine to Splunk, but I do have a question on mapping pools to virtuals. We use an iRule to select a pool to use based on HTTP Host Header on incoming HTTP requests, so there's no pool hard coded on the Virtual Servers. The iAPP resulting data seems to map the pools just fine if they're hard coded on the Virtual Server. Might be a stupid "of course you can't" question, but is there any way to create a dependancy between the Virtual Server and the pools, if they're dynamically selected by an iRule, using an iRule statement such as "pool [HTTP::host]-pool"? Seems Application Componant might somehow play into this, but couldn't find any doc that describes how that mapping attribute is used.
- Vladimir_Akhmarov
I have a 4x 4200v with 150+ virtual servers. The overall traffic to Splunk appliance is 28 GB/day. This is too much.
JurajI would have the same request as loremipsum above - a non-iApp way/instructions would be greatly appreciated. I'm trying to stay away from iApps as much as possible for exactly the same reason.
 
In my case now, the F5 Analytics iApp v3.7.0 deployment fails on almost a fresh F5VE with
, and I pretty much don't know what to do other than open a support ticket (which I've done). The same error message as someone else had a year ago vOvcan't read "::verson": no such variable 
clemtr_79935Any idea when 13.1 will be supported for analytics?
