Splunk® Supported Add-ons

Splunk Add-on for F5 BIG-IP

Download manual as PDF

Download topic as PDF

Source types for the Splunk Add-on for F5 BIG-IP

This add-on contains predefined source types that Splunk Enterprise uses to ingest incoming events and categorize these events for search.

The source types are based on the data sources that the add-on ingests. Many of the source types support data models in the Common Information Model and the ITSI Load Balancer module.

Data source Source type Collection method CIM and ITSI module compatibility
APM logs f5:bigip:apm:syslog UDP Authentication, Network Sessions,
Network Traffic, Web
High Speed Logging (HSL) using iRules User-defined inputs are dynamically assigned as
f5:bigip:irule if they contain the KV string f5_irule=Splunk-irule-<userdefinedparameter> in the statement HSL::send. Otherwise, the Splunk platform will source type the events as f5:bigip:syslog.
UDP None
f5:bigip:gtm:dns:request:irule None
f5:bigip:gtm:dns:response:irule None
f5:bigip:ltm:http:irule Network Traffic, Web, Load Balancer
f5:bigip:ltm:lb:failed:irule None
System log data f5:bigip:syslog UDP None
Add-on logs f5:bigip:addon:log N/A None
ASM logs f5:bigip:asm:syslog TCP Network Traffic, Web
iControl API data User-defined inputs are dynamically assigned as
Modular input None
f5:bigip:ltm:locallb:icontrol Load Balancer
f5:bigip:ltm:locallb:pool:icontrol Load Balancer, Inventory
f5:bigip:gtm:globallb:icontrol Load Balancer
f5:bigip:management:device:icontrol Load Balancer, Inventory
f5:bigip:management:usermanagement:icontrol Inventory
f5:bigip:management:icontrol None
f5:bigip:networking:adminip:icontrol Inventory
f5:bigip:networking:interfaces:icontrol Inventory
f5:bigip:system:disk:icontrol Performance, Inventory, Load Balancer
f5:bigip:system:statistics:icontrol Load Balancer, Inventory
f5:bigip:system:systeminfo:icontrol Performance, Load Balancer, Inventory
f5:bigip:networking:icontrol None
Splunk Add-on for F5 BIG-IP
Release notes for the Splunk Add-on for F5 BIG-IP

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Hi Morganfw . Thanks for your comment here. We are tracking this issue. If you have additional information that would help troubleshoot it (eg sample events), please forward them to us.

Ccornell splunk, Splunker
November 27, 2018

On 2.6.0 version sourcetype "f5:bigip:apm:syslog" don't match CIM Authentication dataset, it reports action "allowed" or "blocked" only in "Access policy result" log, instead of "success" or "failure" in Username log. That's will be a problem on mapping data with Splunk Enterprise Security. May you planned an updated version that resolve this issue?

November 10, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters