Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Download manual as PDF

Download topic as PDF

Configure the modular inputs for the Splunk Add-on for F5 BIG-IP

The Splunk Add-on for F5 BIG-IP collects performance data (system settings, server performance, and traffic statistics data) for F5 BIG-IP servers from iControl APIs over the network using a modular input. You can configure this input using Splunk Web on your heavy forwarder.

  1. Be sure to open port 443 to allow F5 BIG-IP to communicate with the modular input.
  2. From Splunk Web home, click Apps. The App manager page appears.
  3. In the row for Splunk Add-on for F5 BIG-IP, click Launch app. The add-on configuration UI appears.

You can now configure inputs using the Configurations menu. Configuring the inputs of the add-on involves establishing connections to external servers, selecting templates that define the data you collect from the servers, and creating Tasks.

Configure servers

  1. Go to Configurations > Servers to add F5 BIG-IP server configurations to the Splunk platform. The Manage F5 BIG-IP Servers page appears.
  2. Click Add Server to add a new server configuration.
  3. Keep the default Destination App to associate the server with the Splunk Add-on for F5 BIG-IP. The server profile is saved in $SPLUNK_HOME/etc/apps/<Your_App>/local/f5_bigip_servers.conf.
  4. Enter a server Name to identify the server. Acceptable characters are a-z, A-Z, 0-9 or "_".
  5. (optional) Enter a Description for the server.
  6. Type a URL in the Host field. This is the IP address or hostname of the F5 BIG-IP server, and can include port information. The Splunk platform connects to the server using http.
  7. Type the names of the partitions from which to collect data, separated by comas, in the Partitions field. For example: Common,App_1,App_2. Partition names are case-sensitive. If this field is left blank, data will be collected from all partitions.
  8. Enter the Username and Password for the F5 BIG-IP server and confirm the password in the Confirm Password field. The Splunk platform uses these credentials to collect data using the iControl API. Splunk encrypts the password and stores the account information in $SPLUNK_HOME/etc/apps/<Your_App>/local/app.conf.

The username you provide needs to have been created in the Common partition and must have permission to access all the partitions from which you are collecting data. You can use only one F5 BIG-IP user to collect data from a single F5 BIG-IP server. In other words, multiple user accounts cannot be used to collect data from any one F5 BIG-IP server.

  1. (optional) Enter a value for the Data Collection Interval. This is how often the Splunk platform polls the F5 server to collect data. If you do not enter a value, the server uses the default value of 5 minutes. The value specified here overrides the Polling Interval specified in a task. However, the interval specified in a template overrides the interval set for the server. The order of precedence for the interval setting is template, server, then task.
  2. Click Create to create the server profile. If your information is authenticated successfully, the add-on saves the server profile. If you have entered incorrect credentials or an incorrect URL, an error message appears on the dialog box. If you see such message, verify the information you have entered and try again.

Repeat this procedure to configure all servers from which you want to collect data.

Now that you have configured your servers, when you create a task, the servers will be available for you to include as part of the task.

Manage templates

A template defines the data that you want to collect from F5 BIG-IP devices and the collection mechanism for the data. The Splunk Add-on for F5 BIG-IP includes several predefined templates that you can use to collect data. To view these, go to Configurations > Templates. The Manage Collection Templates page appears listing all templates defined in the add-on.

Creating a new template is an advanced task and requires you to have knowledge of F5 iControl APIs. For more information about creating templates, see Create new templates for the Splunk Add-on for F5 BIG-IP in the Reference section of this manual.

Create tasks

Tasks are actions to get data. Tasks look at a server or set of servers and a data collection template and poll the F5 BIG-IP servers at regular intervals to get the data into the Splunk platform.

For optimal results, assign no more than two F5 BIG-IP servers to a task and assign only one task to monitor each server.

  1. Go to Configurations > Tasks. The Manage F5 BIG-IP Tasks page appears listing all tasks defined in the add-on.
  2. Click Add Task to create a new task.
  3. Keep the default Destination App to associate the task with the Splunk Add-on for F5 BIG-IP.
  4. Provide a task Name. Acceptable characters are a-z, A-Z, 0-9 or "_".
  5. (optional) Enter a Description for the task.
  6. Click Servers to select one or more servers from which you want to collect data.
  7. Click Templates to select one or more templates that describe the data you want to collect.
  8. Click Settings to set the data collection Polling Interval (in seconds) for the task. The add-on, by default, collects data from F5 servers for each task every 300 seconds. The interval setting determines the granularity of the data returned. The more often you collect data, the more detail you see from your data. If you specified a data collection interval when you configured your servers, that interval setting overrides the interval setting at the task level.
  9. Accept the default Source Type and Index.
  10. Click Create to create the task. The Splunk add-on for F5 BIG-IP creates the task, adds it to the list of scheduled tasks, and enables it by default. To disable the task at any time, click Disable in the row for that task.

Validate data collection

The Splunk add-on for F5 BIG-IP polls the F5 BIG-IP servers, at regular intervals, for the data you want to collect. To verify that the add-on is getting data into the Splunk platform, use the Search app to search based on source type.

If you do not see data coming into the Splunk platform from your F5 BIG-IP servers, see Troubleshoot the Splunk Add-on for F5 BIG-IP.

Note: The add-on also collects APM logs and system events from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514 and logs from ASM over the network on TCP port 9515. For more information about these inputs, see Configure UDP and TCP inputs for the Splunk Add-on for F5 BIG-IP.

PREVIOUS
Prepare F5 servers to connect to the Splunk platform
  NEXT
Configure UDP and TCP inputs for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters