How I did it - "Visualizing Data with F5 TS and Splunk"
Updated Dec 13, 2022
Version 2.0Was this article helpful?
Thank you for the article, it helped so much! Since I have activated AVR via tmsh most things are working fine here. Only the ASM events are not available in your dashboard template although the ASM log profile is in place and there are security events produced in our lab.
I have inspected the search and found source="f5:bigip:asm" but according to the transforms.conf of the Splunk Addon the source rewrite to this asm source will only match on REGEX = "telemetryEventCategory":"ASM". But ASM raw events have "telemetryEventCategory":"AVR" as you can see here.
Have you changed anything in your configuration or is there something I have missed?