Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Unique Identifier for irules Http response

Go to solution
richarc
Nimbostratus
Nimbostratus

‎18-May-2023 16:55

With code for an irule below is there a way I can set a unique identifier for the data coming back. I ask because when the logs are ingested into Splunk we would like to know which header came with which request,  but each response header is on a different line and show up as different requests in Splunk.  Thanks

when HTTP_RESPONSE {
set LogString "Client [IP::client_addr]:[TCP::client_port]"
log local0. "============================================="
log local0. "$LogString (response) - status: [HTTP::status]"
foreach aHeader [HTTP::header names] {
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
log local0. "============================================="
}

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Paulius
MVP
MVP
In response to richarc

‎19-May-2023 07:02

@richarc With the iRule logging each time you receive an HTTP response this will be a significant amount of log entries. You might be better off with one logging line and having the server insert a unique ID per client rather than the F5. If you are using UIE persistence you might be able to do the following and use Splunk to merge the request and response somehow.

when HTTP_REQUEST priority 500 {

   set value [persist lookup uie [list $myVar any virtual]]

   log local0. "HTTP reqeust client ID: ${value}"

}

when HTTP_RESPONSE priority 500 {

   set value [persist lookup uie [list $myVar any virtual]]

   log local0. "HTTP resposne client ID: ${value}"

}

 

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Paulius
MVP
MVP

‎18-May-2023 19:50

@richarc You can set almost anything you want in an HTTP header value as long as it's for HTTP traffic or HTTPS traffic that's terminated at the F5. Do you expect multiple HTTP header fiels of names or do you expect the F5 to interpret the names in that header field as a list?

0 Kudos

Go to solution
richarc
Nimbostratus
Nimbostratus
In response to Paulius

‎19-May-2023 04:49

Hello Paulius,

Thanks so much for your help.  I expect multiple header field names. Below is an example of the output and what I would like to capture. There is a delimiter between each capture, but in Splunk it see each line as a different response. 

 

 

Current output

/Common/http_response_capture <HTTP_RESPONSE>: =============================================
/Common/http_response_capture <HTTP_RESPONSE>: Client XX.XX.XX.XX:XXX (response) - status: 304
/Common/http_response_capture <HTTP_RESPONSE>: Date: Fri, 19 May 2023 11:39:59 GMT
/Common/http_response_capture <HTTP_RESPONSE>: Connection: Keep-Alive
/Common/http_response_capture <HTTP_RESPONSE>: Keep-Alive: timeout=15
/Common/http_response_capture <HTTP_RESPONSE>: ETag: "XXXXXXXXXXXX"
/Common/http_response_capture <HTTP_RESPONSE>: Cache-Control: max-age=XXXXX, public
/Common/http_response_capture <HTTP_RESPONSE>: =============================================

Would Like

/Common/http_response_capture <HTTP_RESPONSE>: UNIQ_ID =============================================
/Common/http_response_capture <HTTP_RESPONSE>: Client XX.XX.XX.XX:XXX (response) - status: 304 UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: Date: Fri, 19 May 2023 11:39:59 GMT UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: Connection: Keep-Alive UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: Keep-Alive: timeout=15 UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: ETag: "XXXXXXXXXXXX" UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: Cache-Control: max-age=XXXXX, public UNIQ_ID
/Common/http_response_capture <HTTP_RESPONSE>: =============================================

 

 

0 Kudos

Go to solution
Paulius
MVP
MVP
In response to richarc

‎19-May-2023 07:02

@richarc With the iRule logging each time you receive an HTTP response this will be a significant amount of log entries. You might be better off with one logging line and having the server insert a unique ID per client rather than the F5. If you are using UIE persistence you might be able to do the following and use Splunk to merge the request and response somehow.

when HTTP_REQUEST priority 500 {

   set value [persist lookup uie [list $myVar any virtual]]

   log local0. "HTTP reqeust client ID: ${value}"

}

when HTTP_RESPONSE priority 500 {

   set value [persist lookup uie [list $myVar any virtual]]

   log local0. "HTTP resposne client ID: ${value}"

}

 

0 Kudos
Copyright © 2023 Khoros, LLC