Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Virtual Server Log Forward to Splunk


I want to setup log forwarding from F5 to splunk server for https traffic of one of virtual server.


Below needs to be capture from traffic and send to splunk server.


Domain Name

Source IP

Http Version

Target IP

http status

time taken



Community Manager
Community Manager

You can do that with HSL, all the pieces you need are in this article. Post back with some code fragments if you have any questions and we'll help you out!

Thanks, Jason 🙂


I just prepared the configuration as below. Please revert with your kind suggestion on this.




1) Adding Splunk server as pool member.


Navigate to Local Traffic > Pools


Click Create.




IP address :-

Port    :-514


Click Finished.


2) Log Destination


Navigate to System > Logs > Configuration > Log Destinations .


Click Create.


Name field :- Splunk_HSL_logging

Type:- Remote High-Speed Log


Pool Name :- Splunk_HSL_Pool


Protocol :- HSL


Click Finished.


3) Log Formatt


Navigate to System > Logs > Configuration > Log Destinations .


Click Create.


Name:- Splunk_Logs


Type:- Splunk.


Forward To :- Splunk_HSL_logging


Click Finished.


4) Publisher


Navigate to System > Logs > Configuration > Log Publishers .


Click Create.


Name :- Splunk_Publisher


Destinations :-Splunk_HSL_logging.


Click Finished.



Irule for virtual Server.



Goto->Local Traffic-Irule

Name:- Splunk_logging


Copy paste below code.



 set client_address [IP::client_addr]

 set vip [IP::local_addr]

 set hsl [HSL::open -proto TCP -pool Splunk_HSL_Pool]



 set http_host [HTTP::host]:[TCP::local_port]

 set http_uri [HTTP::uri]

 set http_method [HTTP::method]

 set http_version [HTTP::version]

 set virtual_server [LB::server]

 set http_user_agent [HTTP::header "User-Agent"]

 set http_content_type [HTTP::header "Content-Type"]

 set tcp_start_time [clock clicks -milliseconds]

 set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 if { [HTTP::header Content-Length] > 0 } then {

   set req_length [HTTP::header "Content-Length"]

 } else {

   set req_length 0




#  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 set node [IP::server_addr]

 set node_port [TCP::server_port]

 set http_status [HTTP::status]

 set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]

 if { [HTTP::header Content-Length] > 0 } then {

   set res_length [HTTP::header "Content-Length"]

 } else {

   set res_length 0


set hsl [HSL::open -proto UDP -pool Splunk_HSL_Pool]

HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, BYTES_OUT=$res_length\r\n"






Hi Jaspreet,

Amazing Instructions above, I followed it step by step thank you for the easy guide.


Can I ask did the above work for you? was you able to get logs regarding your virtual server? 

I.e connectivity etc ?

I am looking on Splunk and I can find any good data ?

You'll have to modify your hsl cmd to avoid outage, there's a known bug & I learned it by experience. Hope it helps.

Also why would you need a TCP, set it as UDP protocol.

set client_address [IP::client_addr]
set vip [IP::local_addr]
#Set the splunk hsl pool in a variable first
set splunk_pool Splunk_HSL_Pool
#Use that variable to call out in below command
#Bug -
set hsl [HSL::open -proto UDP -pool $splunk_pool]

And again i see you are creating an HSL open in HTTP RESPONSE which is not required. Just HSL send would be enough.