- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: F5 ASM events are being merged, sourcetype is ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
F5 ASM events are being merged, sourcetype is f5:bigip:asm:syslog
I installed the Splunk Add-on for F5 BIG-IP and defined the incoming as sourcetype f5:bigip:asm:syslog. Several (not all) events are getting merged into one event. Is there anything I can change to modify the sourcetype so that each event is a single event and not merged? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you check props and transforms in Splunk Add-on for F5 BIG-IP..??
Can you post a sample event here..??
Make sure you have that TA installed on a heavy forwarder or indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked for those files (props and transforms) but did not find them here, would they be in some other spot?
/opt/splunk/etc/apps/Splunk_TA_f5-bigip/local # ls
app.conf indexes.conf
The Splunk Add-on for F5 BIG-IP is installed on both the forwarder and indexer.
Unfortunately, I cannot post events. I can try redacting or modifying them before I post...it'll take me a while. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@juanlazarosanchez:
check it in /opt/splunk/etc/apps/Splunk_TA_f5-bigip/default...
when you say forwarder, is it a heavy forwarder or a universal forwarder..??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heavy forwarder
They were in the spot you used mentioned. I looked through them, but could not determine why the events were merging.
I tried something different, I changed to sourcetype to access_common and now all the events are separated as they should be. I don't mind using access_common going forward unless there is another pre-trained sourcetype that would be more appropriate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@juanlazarosanchez : I wouldn't do that unless there is a specific reason, go through splunk docs for detailed configuration steps, there should be few other configs/extractions that are tied with default sourcetypes.
http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
