Configure the modular inputs for the Splunk Add-on for F5 BIG-IP
The Splunk Add-on for F5 BIG-IP collects performance data (system settings, server performance, and traffic statistics data) for F5 BIG-IP servers from iControl APIs over the network using a modular input. You can configure this input using Splunk Web on your heavy forwarder. The Add-on uses Telemetry Streaming Custom Endpoints to perform the data collection. You must use Telemetry Streaming version 1.23 or higher to collect data using the add-on.
- Be sure to open port 443 to allow F5 BIG-IP to communicate with the modular input.
- From Splunk Web home, click Apps. The App manager page appears.
- In the row for Splunk Add-on for F5 BIG-IP, click Launch app. The add-on configuration UI appears.
You can now configure inputs using the Inputs tab. Configuring the inputs Of the add-on involves establishing connections to external servers and selecting templates that define the data you collect from the servers.
Configure servers
- Go to Configuration > Server to add F5 BIG-IP server configurations to the Splunk platform.
- Click Add to add a new server configuration.
- The server profile is saved in
$SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/f5_servers.conf
. - Enter a server Name to identify the server. Acceptable characters are a-z, A-Z, 0-9 or "_".
- (optional) Enter a Description for the server.
- Type a URL in the Host field. This is the IP address or hostname of the F5 BIG-IP server, and can include port information. The Splunk platform connects to the server using https.
- Enter the Username and Password for the F5 BIG-IP server and confirm the password in the Confirm Password field. The Splunk platform uses these credentials to collect data using the iControl API. Splunk encrypts the password and stores the account information in
$SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/passwords.conf
.
The username you provide must be created in the Common partition and must have permission to access all the partitions from which you are collecting data. You can use only one F5 BIG-IP user to collect data from a single F5 BIG-IP server. In other words, multiple user accounts cannot be used to collect data from any F5 BIG-IP server. In the future, when a user makes modifications using the Add-on, he needs to re-enter the password. - (optional) Enter a value for the Data Collection Interval. This is how often the Splunk platform polls the F5 server to collect data. If you do not enter a value, the server uses the Polling Interval configured in inputs. The value specified here overrides the Polling Interval specified in the input. However, the interval specified in a template overrides the interval set for the server. The order of precedence for the interval setting is template, server, then input.
- Click Add to create the server profile. If your information is authenticated successfully, the add-on saves the server profile. If you have entered incorrect credentials or an incorrect URL, an error message appears on the dialog box. If you see such a message, verify the information you have entered and try again.
- By default, the API calls will be made using SSL verification. If you want to disable SSL verification, you can set the parameter to enable_ssl = 0 in
$SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/splunk_ta_f5_settings.conf
Repeat this procedure to configure all servers from which you want to collect data.
Now that you have configured your servers when you create an input, the servers will be available for you to include as part of the input.
Manage templates
A template defines the data that you want to collect from F5 BIG-IP devices and the collection mechanism for the data. The Splunk Add-on for F5 BIG-IP includes several predefined templates that you can use to collect data. To view these, go to Configuration > Template. The Templates page appears listing all templates defined in the add-on.
Creating a new template is an advanced task and requires you to have knowledge of F5 iControl APIs. For more information about creating templates, see Create new templates for the Splunk Add-on for F5 BIG-IP in the Reference section of this manual.
Create inputs
Inputs are actions to get data. Inputs look at a server or set of servers and a data collection template and poll the F5 BIG-IP servers at regular intervals to get the data into the Splunk platform.
For optimal results, assign no more than two F5 BIG-IP servers to an input and assign only one input to monitor each server.
- Go to Inputs. The Manage F5 Inputs page appears listing all inputs defined in the add-on.
- Click Create New Input to create a new input.
- Provide an input Name. Acceptable characters are a-z, A-Z, 0-9 or "_".
- (optional) Enter a Description for the input.
- Click Servers to select one or more servers from which you want to collect data.
- Click Templates to select one or more templates that describe the data you want to collect.
- Provide Polling Interval (in seconds) to set the data collection for the input. The add-on, by default, collects data from F5 servers for each input every 300 seconds. The interval setting determines the granularity of the data returned. The more often you collect data, the more detail you see from your data. If you specified a data collection interval when you configured your servers, that interval setting overrides the interval setting at the input level.
- Enter a HEC Token name to collect the data for the configured templates. For more information, see Creating a HEC Token. The user needs to make sure that the HEC Token is created in the Splunk_TA_f5-bigip context. For that, the user will have to navigate to the Settings > Data Inputs from the Splunk_TA_f5-bigip add-on. Also, you must disable the SSL check from Global Settings for the HEC Token to perform the Data Collection.
- Enter the Splunk Host to collect the data for a particular Splunk Instance.
- Click Add to create the input. The Splunk add-on for F5 BIG-IP creates the input, adds it to the list of scheduled inputs, and enables it by default. To disable the input at any time, click Disabled in the row for that input.
Validate data collection
The Splunk add-on for F5 BIG-IP polls the F5 BIG-IP servers, at regular intervals, for the data you want to collect. To verify that the add-on is getting data into the Splunk platform, use the Search app to search based on source type.
If you do not see data coming into the Splunk platform from your F5 BIG-IP servers, see Troubleshoot the Splunk Add-on for F5 BIG-IP.
Note: The add-on also collects APM logs and system events from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514 and logs from ASM over the network on TCP port 9515. For more information about these inputs, see Configure UDP and TCP inputs for the Splunk Add-on for F5 BIG-IP.
Prepare F5 servers for Telemetry Streaming | Obtain syslog data for the Splunk Add-on for F5 BIG-IP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!