Forum Discussion

richarc's avatar
richarc
Icon for Nimbostratus rankNimbostratus
May 18, 2023
Solved

Unique Identifier for irules Http response

With code for an irule below is there a way I can set a unique identifier for the data coming back. I ask because when the logs are ingested into Splunk we would like to know which header came with which request,  but each response header is on a different line and show up as different requests in Splunk.  Thanks

when HTTP_RESPONSE {
set LogString "Client [IP::client_addr]:[TCP::client_port]"
log local0. "============================================="
log local0. "$LogString (response) - status: [HTTP::status]"
foreach aHeader [HTTP::header names] {
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
log local0. "============================================="
}

  • richarc With the iRule logging each time you receive an HTTP response this will be a significant amount of log entries. You might be better off with one logging line and having the server insert a unique ID per client rather than the F5. If you are using UIE persistence you might be able to do the following and use Splunk to merge the request and response somehow.

    when HTTP_REQUEST priority 500 {
    
       set value [persist lookup uie [list $myVar any virtual]]
    
       log local0. "HTTP reqeust client ID: ${value}"
    
    }
    
    when HTTP_RESPONSE priority 500 {
    
       set value [persist lookup uie [list $myVar any virtual]]
    
       log local0. "HTTP resposne client ID: ${value}"
    
    }

     

3 Replies

  • richarc You can set almost anything you want in an HTTP header value as long as it's for HTTP traffic or HTTPS traffic that's terminated at the F5. Do you expect multiple HTTP header fiels of names or do you expect the F5 to interpret the names in that header field as a list?

    • richarc's avatar
      richarc
      Icon for Nimbostratus rankNimbostratus

      Hello Paulius,

      Thanks so much for your help.  I expect multiple header field names. Below is an example of the output and what I would like to capture. There is a delimiter between each capture, but in Splunk it see each line as a different response. 

       

       

      Current output

      /Common/http_response_capture <HTTP_RESPONSE>: =============================================
      /Common/http_response_capture <HTTP_RESPONSE>: Client XX.XX.XX.XX:XXX (response) - status: 304
      /Common/http_response_capture <HTTP_RESPONSE>: Date: Fri, 19 May 2023 11:39:59 GMT
      /Common/http_response_capture <HTTP_RESPONSE>: Connection: Keep-Alive
      /Common/http_response_capture <HTTP_RESPONSE>: Keep-Alive: timeout=15
      /Common/http_response_capture <HTTP_RESPONSE>: ETag: "XXXXXXXXXXXX"
      /Common/http_response_capture <HTTP_RESPONSE>: Cache-Control: max-age=XXXXX, public
      /Common/http_response_capture <HTTP_RESPONSE>: =============================================

      Would Like

      /Common/http_response_capture <HTTP_RESPONSE>: UNIQ_ID =============================================
      /Common/http_response_capture <HTTP_RESPONSE>: Client XX.XX.XX.XX:XXX (response) - status: 304 UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: Date: Fri, 19 May 2023 11:39:59 GMT UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: Connection: Keep-Alive UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: Keep-Alive: timeout=15 UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: ETag: "XXXXXXXXXXXX" UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: Cache-Control: max-age=XXXXX, public UNIQ_ID
      /Common/http_response_capture <HTTP_RESPONSE>: =============================================

       

       

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        richarc With the iRule logging each time you receive an HTTP response this will be a significant amount of log entries. You might be better off with one logging line and having the server insert a unique ID per client rather than the F5. If you are using UIE persistence you might be able to do the following and use Splunk to merge the request and response somehow.

        when HTTP_REQUEST priority 500 {
        
           set value [persist lookup uie [list $myVar any virtual]]
        
           log local0. "HTTP reqeust client ID: ${value}"
        
        }
        
        when HTTP_RESPONSE priority 500 {
        
           set value [persist lookup uie [list $myVar any virtual]]
        
           log local0. "HTTP resposne client ID: ${value}"
        
        }