We configured all events to go one index "f5-default"
I tried using F5 Splunk app as it is and not convinced the way it work/present. I find the app is very resource intensive and not scale-able when we have large user base.
We are using data models came with F5 App, however changed the App visibility to "No".
We are using 5 minute aggregation data from F5 to Splunk and it defeat the idea of showing near real time. So I am using F5 interval data in combination with SNMP Traps F5 sending when there is change in status of a Pool/Pool Member.
I created few saved searches which run every 1 minute, 10 minute and daily based on requirement and creating outputlookup(s). Using these outputlookup files, created several dashboards to show health of Pool/PoolMember/VIP and also correlating with several other events that we already have in Splunk.
Ex:
Events from Real User Monitoring Tool (Agentless).
PoolMember resource alarms (Ex: CPU, Memory, Disk, Network)
RHEV/CloudForms/Puppet events for the PoolMember (Ex: VM Migration, Hypervisor/Host memory presssure etc.,)
PoolMember Syslog Events for known exceptions
PoolMember Application Log Exceptions/events
If the server is in maintenance mode for some scheduled activity
JVM, Database events
... View more