Solved: Re: How to modify the inputs for the Splunk Add-On...

Makinde · ‎02-09-2016

I would like to use the Splunk Add-on for F5 BIG-IP, but I don't want the add-on to query my device for any logs.

I am currently sending the F5 logs to a folder on the Splunk forwarder through Syslog. I created a local folder in the add-on folder and create an inputs.conf file with the following information:

[monitor://C:\logs\F5]
disable = false
sourcetype = F5:bigip:syslog

However, I don't receive any logs. When I make these changes to other apps, I am able to get some changes. I got an error that logs were received for an unconfigured index. I checked my indexes and noticed the F5 Add-on didn't create any indexes automatically. I looked through the default folder, but couldn't find anywhere the Index was specified. I created a new index, but I still am not getting any logs.

Does anyone know what to do so I can use the Add-on, but use a different input method like the one described above?

Thanks,

jcoates_splunk · ‎02-19-2016

You need to create indexes because that's where your control over performance and security is set; it's bad practice for someone else's app to guess at your needs for those, IMHO.

View solution in original post

jcoates_splunk · ‎02-19-2016

You need to create indexes because that's where your control over performance and security is set; it's bad practice for someone else's app to guess at your needs for those, IMHO.

How to modify the inputs for the Splunk Add-On for F5 BIG-IP?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?