Related Answers
Download topic as PDF
Source types for the Splunk Add-on for F5 BIG-IP
This add-on contains predefined source types that Splunk Enterprise uses to ingest incoming events and categorize these events for search.
The source types are based on the data sources that the add-on ingests. Many of the source types support data models in the Common Information Model and the ITSI Load Balancer module.
| Data source | Source type | Collection method | CIM and ITSI module compatibility |
|---|---|---|---|
| APM logs | f5:bigip:apm:syslog
|
UDP | Network Traffic |
| Telemetry Streaming events of Syslog, ASM, APM, LTM, AVR, and system in JSON format. | f5:telemetry:json
|
Telemetry Streaming | Network Traffic, |
| High Speed Logging (HSL) using iRules | User-defined inputs are dynamically assigned as f5:bigip:irule if they contain the KV string f5_irule=Splunk-irule-<userdefinedparameter> in the statement HSL::send. Otherwise, the Splunk platform will source type the events as f5:bigip:syslog.
|
UDP | None |
f5:bigip:gtm:dns:request:irule
|
None | ||
f5:bigip:gtm:dns:response:irule
|
Network Resolution (DNS) | ||
f5:bigip:ltm:http:irule
|
Web | ||
f5:bigip:ltm:lb:failed:irule
|
None | ||
| System log data | f5:bigip:syslog
|
UDP | Authentication |
| Add-on logs | f5:bigip:addon:log
|
N/A | None |
| ASM logs | f5:bigip:asm:syslog
|
TCP | Intrusion Detection |
| iControl API data | User-defined inputs are dynamically assigned as f5:telemetry:json
|
Modular input | None |
f5:bigip:ts:ltm:locallb:icontrol
|
None | ||
f5:bigip:ts:ltm:locallb:pool:icontrol
|
None | ||
f5:bigip:ts:gtm:globallb:icontrol
|
None | ||
f5:bigip:ts:gtm:globallb:pool:icontrol
|
None | ||
f5:bigip:ts:management:icontrol
|
None | ||
f5:bigip:ts:management:device:icontrol
|
None | ||
f5:bigip:ts:management:usermanagement:icontrol
|
None | ||
f5:bigip:ts:networking:icontrol
|
None | ||
f5:bigip:ts:networking:adminip:icontrol
|
None | ||
f5:bigip:ts:networking:interfaces:icontrol
|
None | ||
f5:bigip:ts:system:disk:icontrol
|
None | ||
f5:bigip:ts:system:statistics:icontrol
|
None | ||
f5:bigip:ts:system:systeminfo:icontrol
|
None | ||
| Logs from RADIUS Authentication. | f5:bigip:secure
|
UDP | Authentication |
| SSL handshake failure. | f5:bigip:ltm:ssl:error
|
UDP | None |
| iRule error -|The BIG-IP system generates a Tool Command Language (Tcl) error, indicating the missing or incorrect element. | f5:bigip:ltm:tcl:error
|
UDP | None |
| BIG-IP system packet errors -Error messages that occur when the BIG-IP system receives a significant number of packets that do not match existing connections to BIG-IP virtual servers, self IP addresses, or secure network address translations (SNATs). | f5:bigip:ltm:traffic
|
UDP | None |
| HTTP server returns excessive data - Error messages that occur when the HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers. | f5:bigip:ltm:log:error
|
UDP | None |
Supported Telemetry Modules
| Source type | Telemetry Event Category | Source |
|---|---|---|
| F5:telemetry:json | APM | f5:bigip:apm |
| ASM | f5:bigip:asm | |
| AVR | f5:bigip:avr | |
| LTM | f5:bigip:ltm | |
| syslog | f5:bigip:syslog | |
| AFM | f5:bigip:afm | |
| systeminfo | f5:bigip:system |
ES and ITSI support for the Splunk Add-on for F5 BIG-IP
| Logging Method | Configuration Guideline | Event Detail | F5 Module | ES and ITSI Support |
|---|---|---|---|---|
| Syslog | Configure F5 for Syslog | F5 BIG-IP System/Service events (APM logs are included in the service logs) collected using Syslog | F5 System | ES |
| APM | ES | |||
| HSL | Configure iRules for LTM | LTM network traffic events using iRule collected using HSL | LTM | ES, ITSI |
| Configure iRules for BIG-IP DNS (BIG-IP GTM) | DNS traffic events using iRule (i.e DNS query and response events) collected using HSL | GTM | - | |
| Configure F5 Logging Profiles for ASM | ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using HSL | ASM | ES | |
| Telemetry Streaming | Prepare F5 servers for telemetry streaming | F5 BIG-IP APM logs collected using Telemetry Streaming | APM | - |
| LTM network traffic events using iRule collected using Telemetry Streaming | LTM | ES | ||
| F5 BIG-IP System statistics events collected using Telemetry Streaming | F5 System | - | ||
| ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using Telemetry Streaming | ASM | ES | ||
| F5 BIP-IP System logs (Syslog) collected using Telemetry Streaming | F5 System | - | ||
| F5 BIG-IP performance and system statistics of the Virtual servers(VIPs) | AVR | ES |
Last modified on 17 March, 2023
|
PREVIOUS Lookups for the Splunk Add-on for F5 BIG-IP |
NEXT Release notes for the Splunk Add-on for F5 BIG-IP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!