All Apps and Add-ons

Unable to get anything other than SYSLOG events to come into Splunk from F5

evolutionxtinct
Explorer

Hello,

Currently running F5 13.1.0, and Splunk Enterprise 7.1.2, i'm utilizing F5 Network s- Analytics (New) v1.0 App, and F5's Analytics Template v3.7.1.

When I enable Local System Logging (syslog) I get a slew of Syslog events from F5, all other events are not showing up. The only error I receive in /var/log/ltm is the following:

Jan  4 04:00:30 f5-n1 notice mcpd[5856]: 0107167d:5: Data publisher not found or not implemented when processing request (unknown request), tag (2901).
Jan  4 04:00:35 f5-n1 err scriptd[13853]: 014f0013:3: Script (/Common/Splunk-send_stats) generated this Tcl error: (script did not successfully complete: (01020036:3: The requested RADIUS Server (/Common/Splunk.app) was not found.     while executing "tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth"     invoked from within "lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0"     invoked from within "set obj [lindex [tmsh::get_config auth radius-server /Common/$appname.app/$radius_ihealth] 0]" line:41))

I know this might be a F5 issue but after going over the Deployment Guide, its pretty self explanatory.... I do have syslog events going into my F5 Index (f5-bigip) but the dashboard never shows any results, and my only events are syslog. I would like to be able to get Member Pools, ASM, GTM and LTM information into this tool if its feasible.

Any help would be much appreciated, thanks!

0 Karma

millinkan
New Member

@pzharyuk : Hey man , did u get this to work ..?? How was it resolved ..?? Kindly share ..!!

0 Karma

evolutionxtinct
Explorer

@Nadhiyaa

If you run a TCPDUMP from the interface and you disable hat syslog do you also see no traffic generated?

0 Karma

pzharyuk
New Member

Thanks for posting this, I'm struggling with this as well. I initially set it up in our DEV splunk and even though the dashboards were not populating I was still getting useful logs like bigip.logs which includes application info, vips, etc... A week ago or so, I deployed the F5 app on our PRD HF and SH and now I only get syslog/snmp data. I tried moving it back to DEV splunk but it looks like the iApp just stopped parsing and forwarding the data properly. I will try the RC5 like you mentioned and see if it helps. If you have any additional info/updates, please share.

0 Karma

Nadhiyaa
Path Finder

I am facing the same issue . We have create a rule using F5 iapp .But only the syslog events are ingested .

0 Karma

evolutionxtinct
Explorer

One thing F5 also suggested, is having the F5 Analytics profile applied to your Virtual Servers, that may also be another reason why its now working - the iApp RC5 is still the fix, just this is an additional thing to do.

0 Karma

evolutionxtinct
Explorer

@Nadhiyaa

Wanted to give you an update, after working w/ ANM they had a engineer that worked w/ F5 development, the issue is with the F5 Analytics iApp v3.7.1, you will need to use v3.7.2RC5 when you download the bundle from F5, under analytics folder should be a Release Canidate folder, and it has this .tmpl file in there.

When I put this in place, I got a SLEW of data, but i'm finding that the Splunk F5 app dashboard panel, are using a search query of "UNDEFINED" so now i'm facing data not collecting in panels due to this.

Hope this helps you, good luck!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...