Hello,
First of all thank you for taking out time to reply to my query.
My environment setup:
Splunk Managed Cloud service.
All logs from network devices coming to Syslog SSB and then getting forward to Server where we have UF installed. All devices logs comes to default Index and sourcetype ( index=IDX sourcetype= ST )
From UF we push data to cloud index and so on.
Now I am trying to get work with Add-on : F5 Bigip which is already installed on SH.
Do I need to install Add on on indexers as well ?
Also, when I click on add on configuration, and try to add server that option is disabled.
What is the best way to get this work ? I need to get logs for F5 into Splunk using add -on
can any suggest me how to get this done in right way keeping my environment setup in mind.
hey as per the documentation add-on is required on SH and it is optional on indexers.
Read the comments carefully.You need to install add-on on indexer only if the comments
in the below link satisfy your criteria.
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Install#Where_to_install_this_add-on
let me know if this helps!
Thanks for your reply.
I verfied we have add-on installed on indexers as well. Now we see only servers are able to get correct source type but rest of the F5 machine are not parsing correct source type.
Any suggestion ?