How I did it - "Visualizing Data with F5 TS and Splunk"

The new Splunk Add-on for F5 BIG-IP includes several objects, (modular inputs, CIM-knowledge, etc.) that work to “normalize” incoming BIG-IP data for use with other Splunk apps, such as Splunk Enterp...
Updated Dec 13, 2022
Version 2.0
application delivery
ASM Advanced WAF
BIG-IP
security
cornemrc's avatar
cornemrc
Icon for Altostratus rankAltostratus
Nov 16, 2021

Thank you for the article, it helped so much! Since I have activated AVR via tmsh most things are working fine here. Only the ASM events are not available in your dashboard template although the ASM log profile is in place and there are security events produced in our lab.

 

I have inspected the search and found source="f5:bigip:asm" but according to the transforms.conf of the Splunk Addon the source rewrite to this asm source will only match on REGEX = "telemetryEventCategory":"ASM". But ASM raw events have "telemetryEventCategory":"AVR" as you can see here.

 

Have you changed anything in your configuration or is there something I have missed?