F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Code :

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=iApp_Templates&ver=iApps&container=iApp-Templates
Published May 13, 2016
Version 1.0
analytics
application delivery
application visibility and reporting
f5 iapps
iApps
security
splunk
visibility
  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Feb 19, 2019

    In version 3.7.1 and v3.7.2rc5 (which is the recommended version according to the Splunk app), if the iHealth password has special characters (haven't worked out which special characters yet) it fails with If I change the password field to "123456" (not my real password), it works - although iHealth won't work that way. Do I need to dumb-down my iHealth password or is there a fix for this?

     

    The special character that causes a problem is either a or a ^ (at least in my case). I guess I'll open a support case on that; this discussion doesn't seem to be an effective place to get answers.

     

  • mschlapfer_3768's avatar
    mschlapfer_3768
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2018

    Getting this error in App after doing a Splunk upgrade. Anyone have any idea how to troubleshoot/resolve?

     

    message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" F5 Health Summary Generator: Error in processing KPI for OrderedDict([('where1', 'InboundProxy_Comp_C_JC'), ('where2', 'vs_onalaska_Sonic02-p_12222'), ('index', 'f5-default'), ('count', '2501')]) (mismatched tag: line 35, column 2)

     

    thanks, Marcel

     

  • krekri's avatar
    krekri
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2018

    Getting this error when trying to deploy the app. All settings are default but the must haves. I tried it like 30 times with different settings.

     

    script did not successfully complete: ("script" unexpected argument while executing "tmsh::create [string range $args 7 end] " ("create" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp_conf" line 14) invoked from within "iapp_conf create sys icall script /Common/${::app}-send_stats1 { definition {$::icall_splunkstats} description none events none } " invoked from within "if {($::basic__stats eq "Yes") && ($::intro__localmode eq "No")} {

     

    tmsh::log "FINEME $::statistics__pushconfig"

    if {($::statistics__..." line:4402)

     

    Few thing that i tried: - reinstall - release candidate and newest stable version - different settings to no settings at all - restart sys service scriptd

     

  • ST_Wong's avatar
    ST_Wong
    Icon for Cirrus rankCirrus
    Aug 10, 2018

    Hi,

     

    We are trying Analytics template v3.7.1 on BIG-IP 12.1.3.5, with Splunk server v7.0. Can only get following source while most of them are missing:

     

    bigip.syslog bigip.adm bigip.snmptrap

     

    We tried same setup sequence on BIG-IP 11.x and Splunk server v6.5 successfully. Would anyone please help?

     

    Thanks a lot.

     

  • The-messenger's avatar
    The-messenger
    Icon for Cirrostratus rankCirrostratus
    Jun 07, 2018

    I still have the issue with many, many errors in the logs /Common/ir-splunk_analytics-hec-forwarder-udp-snmptrap - can't read "msg": no such variable while executing "string trimright $msg ",""

     

    and

     

    Stats Response for splunk_analytics 1508851786 0 fail Stats Response for splunk_analytics 1508851786 1 fail Stats Response for splunk_analytics 1508851786 2 fail

     

    I see others with the same issue but no resolution.

     

  • Juraj's avatar
    Juraj
    Icon for Cirrus rankCirrus
    Apr 24, 2018

    I would have the same request as loremipsum above - a non-iApp way/instructions would be greatly appreciated. I'm trying to stay away from iApps as much as possible for exactly the same reason.

     

    In my case now, the F5 Analytics iApp v3.7.0 deployment fails on almost a fresh F5VE with 

    can't read "::verson": no such variable
    , and I pretty much don't know what to do other than open a support ticket (which I've done). The same error message as someone else had a year ago vOv

     

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Apr 12, 2018

    I have a 4x 4200v with 150+ virtual servers. The overall traffic to Splunk appliance is 28 GB/day. This is too much.

     

  • DB's avatar
    DB
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2018

    For those who were receiving the "Stats Response for Splunk xxxxxxxx 0 fail" log messages, I just deployed this iApp today and had the same issue, ran a TCPDUMP to capture the traffic to/from my HEC destination and found the F5 was sending the requests out but getting nothing back, determined from the TCPDUMP that the source address indicated the data was going out the wrong interface, and had to add a route (old traditional LTM Network/Route) to point to my HEC instance out the right interface. That solved this problem for me.

     

    Got the data populating just fine to Splunk, but I do have a question on mapping pools to virtuals. We use an iRule to select a pool to use based on HTTP Host Header on incoming HTTP requests, so there's no pool hard coded on the Virtual Servers. The iAPP resulting data seems to map the pools just fine if they're hard coded on the Virtual Server. Might be a stupid "of course you can't" question, but is there any way to create a dependancy between the Virtual Server and the pools, if they're dynamically selected by an iRule, using an iRule statement such as "pool [HTTP::host]-pool"? Seems Application Componant might somehow play into this, but couldn't find any doc that describes how that mapping attribute is used.

     

  • loremipsum_3566's avatar
    loremipsum_3566
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2018

    Ken - Great App and even better documentation/information to go along with it. A large joint customers of ours (over 100+ F5 appliances) is very much interested in deploying this app. However, their F5 administration team wants a non-iApp way of creating the underlying framework/template (apologies if my understanding/terminology is off here) necessary to send to data to HEC/Splunk. Its due to some internal policies they have in place where they just can't use anything with iApps as that makes upgrades more difficult? Any pointers you can offer for the same are much appreciated! Thanks