Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Source types for the Splunk Add-on for F5 BIG-IP

This add-on contains predefined source types that Splunk Enterprise uses to ingest incoming events and categorize these events for search.

The source types are based on the data sources that the add-on ingests. Many of the source types support data models in the Common Information Model and the ITSI Load Balancer module.

Data Sources Data collection Method sourcetype eventtype/source Datamodel compatibility
System log data Syslog f5:bigip:syslog f5_bigip_syslog_pam_auth None
f5_bigip_syslog_audit_process None
f5_bigip_syslog_login_failed None
f5_bigip_user_authenticated Authentication
f5_bigip_syslog_connection_error Network Traffic
APM Logs Syslog f5:bigip:apm:syslog f5_bigip_apm_access_policy_result None
f5_bigip_apm_session_throughout_stat None
f5_bigip_apm_session_created Network Sessions
f5_bigip_apm_session_deleted None
f5_bigip_apm_acl_applied_result Network Traffic
f5_bigip_apm_username_received None
f5_bigip_apm_user_agent_received None
f5_bigip_apm_http_response_status None
f5_bigip_apm_following_rule_from_item None
f5_bigip_apm_following_rule None
f5_bigip_apm_following_rule_ending None
f5_bigip_apm_client_info_received None
f5_bigip_apm_assigned_ppp Network Traffic
ASM Logs Syslog f5:bigip:asm:syslog f5_bigip_asm_syslog None
f5_bigip_asm_syslog_attack Intrusion Detection
High Speed Logging (HSL) using iRules Syslog f5:bigip:gtm:dns:request:irule f5_bigip_gtm_dns_request_irule Network Resolution (DNS)
f5:bigip:gtm:dns:response:irule f5_bigip_gtm_dns_response_irule Network Resolution (DNS)
f5:bigip:ltm:http:irule f5_bigip_ltm_http_irule Web
f5:bigip:ltm:lb:failed:irule None None
Telemetry Streaming Data Telemetry Streaming f5:telemetry:json source::f5:bigip:system None
source::f5:bigip:syslog None
eventtype=f5_bigip_avr_ts, source::f5:bigip:avr Network Traffic
eventtype=f5_bigip_ltm_http_irule_ts Web
eventtype=f5_bigip_afm_ts, source::f5:bigip:afm Network Traffic
eventtype=f5_bigip_asm_ts, source::f5:bigip:asm Intrusion Detection
source::f5:bigip:apm None
Logs from RADIUS Authentication Syslog f5:bigip:secure f5_bigip_user_authenticated Authentication
SSL handshake failure Syslog f5:bigip:ltm:ssl:error f5_bigip_ltm_ssl_handshake_failed Network Traffic
iRule error - The BIG-IP system generates a Tool Command Language (Tcl) error, indicating the missing or incorrect element. Syslog f5:bigip:ltm:tcl:error None None
BIG-IP system packet errors -Error messages that occur when the BIG-IP system receives a significant number of packets that do not match existing connections to BIG-IP virtual servers, self IP addresses, or secure network address translations (SNATs). Syslog f5:bigip:ltm:traffic None None
HTTP server returns excessive data - Error messages that occur when the HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers. Syslog f5:bigip:ltm:log:error None None
iControl API data Modular input f5:telemetry:json (default) None None
f5:bigip:ts:ltm:locallb:icontrol None None
f5:bigip:ts:ltm:locallb:pool:icontrol None None
f5:bigip:ts:system:systeminfo:icontrol None None
f5:bigip:ts:gtm:globallb:pool:icontrol None None
f5:bigip:ts:gtm:globallb:icontrol None None
f5:bigip:ts:management:usermanagement:icontrol None None
f5:bigip:ts:management:icontrol None None
f5:bigip:ts:management:device:icontrol None None
f5:bigip:ts:system:statistics:icontrol None None
f5:bigip:ts:system:disk:icontrol None None
f5:bigip:ts:networking:adminip:icontrol None None
f5:bigip:ts:networking:icontrol None None
f5:bigip:ts:networking:interfaces:icontrol None None

Supported Telemetry Modules

Source type Telemetry Event Category Source
F5:telemetry:json APM f5:bigip:apm
ASM f5:bigip:asm
AVR f5:bigip:avr
LTM f5:bigip:ltm
syslog f5:bigip:syslog
AFM f5:bigip:afm
systeminfo f5:bigip:system

ES and ITSI support for the Splunk Add-on for F5 BIG-IP

Logging Method Configuration Guideline Event Detail F5 Module ES and ITSI Support
Syslog Configure F5 for Syslog F5 BIG-IP System/Service events (APM logs are included in the service logs) collected using Syslog F5 System ES
HSL Configure iRules for LTM LTM network traffic events using iRule collected using HSL LTM ES, ITSI
Configure iRules for BIG-IP DNS (BIG-IP GTM) DNS traffic events using iRule (i.e DNS query and response events) collected using HSL GTM -
Configure F5 Logging Profiles for ASM ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using HSL ASM ES
Telemetry Streaming Prepare F5 servers for telemetry streaming F5 BIG-IP APM logs collected using Telemetry Streaming APM -
LTM network traffic events using iRule collected using Telemetry Streaming LTM ES
F5 BIG-IP System statistics events collected using Telemetry Streaming F5 System -
ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using Telemetry Streaming ASM ES
F5 BIP-IP System logs (Syslog) collected using Telemetry Streaming F5 System -
F5 BIG-IP performance and system statistics of the Virtual servers(VIPs) AVR ES
Last modified on 19 December, 2023
Lookups for the Splunk Add-on for F5 BIG-IP   Release notes for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters