Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Download manual as PDF

Download topic as PDF

Configure UDP and TCP inputs for the Splunk Add-on for F5 BIG-IP

The Splunk Add-on for F5 BIG-IP collects APM logs and system events (package filter events, audit configuration events, local and global traffic events, and application traffic data) from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514. The add-on also collects logs from ASM over the network on TCP port 9515.

The source type on the network is f5:bigip:syslog. During index time, the add-on separates the data into more specific source types.

The ports used by the add-on must match the ports you specified when you configured F5 BIG-IP for logging. You must enable these inputs using either Splunk Web on your heavy forwarder or by manually editing the inputs.conf file.

Manually enable UDP and TCP inputs

To manually enable the UDP and TCP inputs in inputs.conf:

  1. Create an inputs.conf file in the add-on local folder.
    • $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local on Unix-based systems.
    • %SPLUNK_HOME%\etc\apps\Splunk_TA_f5-bigip\local on Windows systems.
  2. Open the default inputs.conf file:
    • $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/default/inputs.conf on Unix-based systems
    • %SPLUNK_HOME%\etc\apps\Splunk_TA_f5-bigip\default\inputs.conf on Windows systems
  3. Copy the following two stanzas from the default inputs.conf into your local inputs.conf file:
    [udp://9514]
    disabled = true
    connection_host=ip
    sourcetype = f5:bigip:syslog
    
    [tcp://9515]
    disabled = true
    connection_host=ip
    sourcetype = f5:bigip:syslog
    
  4. Change the values for [udp://9514] and [tcp://9515] to custom port numbers if you used different ports on your F5 server.
  5. Enable the inputs by changing disabled = true to disabled = false.
  6. Restart the Splunk platform.

Enable UDP and TCP inputs using Splunk Web

To enable the UDP and TCP port in Splunk Web:

  1. Log into Splunk Web on your data collection node.
  2. Navigate to Settings, Data inputs.
  3. To collect data using TCP, click TCP then click Enable next to TCP port 9515.
  4. To collect data using UDP, click UDP then click Enable next to UDP port 9514. If you configured different port numbers on the F5 BIG-IP server, click New to add a custom port number.
  5. You do not need to restart the Splunk platform if you make these configuration changes in Splunk Web.
PREVIOUS
Configure the modular inputs for the Splunk Add-on for F5 BIG-IP
  NEXT
Troubleshoot the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters