Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for F5 BIG-IP

This add-on contains predefined source types that Splunk Enterprise uses to ingest incoming events and categorize these events for search.

The source types are based on the data sources that the add-on ingests. Many of the source types support data models in the Common Information Model and the ITSI Load Balancer module.

Data source Source type Collection method CIM and ITSI module compatibility
APM logs f5:bigip:apm:syslog UDP Network Traffic
Telemetry Streaming events of Syslog, ASM, APM, LTM, AVR, and system in JSON format. f5:telemetry:json Telemetry Streaming Network Traffic, Web, Authentication
High Speed Logging (HSL) using iRules User-defined inputs are dynamically assigned as
f5:bigip:irule if they contain the KV string f5_irule=Splunk-irule-<userdefinedparameter> in the statement HSL::send. Otherwise, the Splunk platform will source type the events as f5:bigip:syslog.
UDP None
f5:bigip:gtm:dns:request:irule None
f5:bigip:gtm:dns:response:irule None
f5:bigip:ltm:http:irule Web
f5:bigip:ltm:lb:failed:irule None
System log data f5:bigip:syslog UDP Authentication
Add-on logs f5:bigip:addon:log N/A None
ASM logs f5:bigip:asm:syslog TCP Network Traffic, Web
iControl API data User-defined inputs are dynamically assigned as
f5:bigip:icontrol
Modular input None
f5:bigip:ltm:locallb:icontrol Load Balancer
f5:bigip:ltm:locallb:pool:icontrol Load Balancer, Inventory
f5:bigip:gtm:globallb:icontrol Load Balancer
f5:bigip:management:device:icontrol Load Balancer, Inventory
f5:bigip:management:usermanagement:icontrol Inventory
f5:bigip:management:icontrol None
f5:bigip:networking:adminip:icontrol None
f5:bigip:networking:interfaces:icontrol Performance, Inventory
f5:bigip:system:disk:icontrol Performance, Inventory, Load Balancer
f5:bigip:system:statistics:icontrol Load Balancer, Inventory
f5:bigip:system:systeminfo:icontrol Performance, Inventory
f5:bigip:networking:icontrol Inventory
Logs from RADIUS Authentication. f5:bigip:secure UDP Authentication
SSL handshake failure. f5:bigip:ltm:ssl:error UDP None
iRule error -|The BIG-IP system generates a Tool Command Language (Tcl) error, indicating the missing or incorrect element. f5:bigip:ltm:tcl:error UDP None
BIG-IP system packet errors -Error messages that occur when the BIG-IP system receives a significant number of packets that do not match existing connections to BIG-IP virtual servers, self IP addresses, or secure network address translations (SNATs). f5:bigip:ltm:traffic UDP None
HTTP server returns excessive data - Error messages that occur when the HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers. f5:bigip:ltm:log:error UDP None

Supported Telemetry Modules

Source type Telemetry Event Category Source
F5:telemetry:json APM f5:bigip:apm
ASM f5:bigip:asm
AVR f5:bigip:avr
LTM f5:bigip:ltm
syslog f5:bigip:syslog
systeminfo f5:bigip:system

ES and ITSI support for the Splunk Add-on for F5 BIG-IP

Logging Method Configuration Guideline Event Detail F5 Module ES and ITSI Support
Syslog Configure F5 for Syslog F5 BIG-IP System/Service events (APM logs are included in the service logs) collected using Syslog F5 System ES
APM ES
HSL Configure iRules for LTM LTM network traffic events using iRule collected using HSL LTM ES, ITSI
Configure iRules for BIG-IP DNS (BIG-IP GTM) DNS traffic events using iRule (i.e DNS query and response events) collected using HSL GTM -
Configure F5 Logging Profiles for ASM ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using HSL ASM ES
iControl Configure the Modular Inputs Network metrics F5 System ES
System metrics F5 System ES, ITSI
Management metrics F5 System ES, ITSI
Local load balance metrics LTM ES, ITSI
Global load balance metrics GTM ES, ITSI
Telemetry Streaming Prepare F5 servers for telemetry streaming F5 BIG-IP APM logs collected using Telemetry Streaming APM -
LTM network traffic events using iRule collected using Telemetry Streaming LTM ES
F5 BIG-IP System statistics events collected using Telemetry Streaming F5 System -
ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using Telemetry Streaming ASM -
F5 BIP-IP System logs (Syslog) collected using Telemetry Streaming F5 System -
F5 BIG-IP performance and system statistics of the Virtual servers(VIPs) AVR ES
Last modified on 15 July, 2021
PREVIOUS
Lookups for the Splunk Add-on for F5 BIG-IP
  NEXT
Release notes for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters