Overview

Splunk Add-on for F5 BIG-IP

Version	6.4.0
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.
Add-on has a Web UI	Yes. This add-on contains views.

The Splunk Add-on for F5 BIG-IP allows a Splunk software administrator to pull network traffic data, system logs, system settings, performance metrics, and traffic statistics from the F5 BIG-IP platform, using syslog, iRules, and the iControl API. This add-on provides modular inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence.

Download the Splunk Add-on for F5 BIG-IP from Splunkbase

For a summary of new features, fixed issues, and known issues, see Release notes for the Splunk Add-on for F5 BIG-IP

For information about installing and configuring the Splunk Add-on for F5 BIG-IP, see Installation overview for the Splunk Add-on for F5 BIG-IP

Discuss the Splunk Add-on for F5 BIG-IP on Splunk Answers

Hardware and software requirements for the Splunk Add-on for F5 BIG-IP

Prerequisites

You need to know the credentials for the F5 BIG-IP servers from which you want to collect data. The F5 BIG-IP user that is used to collect data with this add-on needs to be created in the Common partition and have permission to access all other partitions from which you want to collect data. Also, only one F5 BIG-IP user can be used to collect data from a single F5 BIG-IP server. In other words, multiple user accounts cannot be used to collect data from any one F5 BIG-IP server.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

• For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation Manual.

• If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Best configurations for optimal data collection

If you are collecting iControl API data via Telemetry Streaming, these are the best configurations for optimal data collection performance.

• A single Splunk platform instance (HF/IDX/UF) monitors no more than three F5 BIG-IP servers concurrently.
• Use one input to assign all the templates for which you want to perform the data collection for a given server.
• An input monitors no more than one F5 BIG-IP server at a time.
• Assign no more than one input to an F5 BIG-IP server.

Installation overview for the Splunk Add-on for F5 BIG-IP

Install the Splunk Add-on for F5 BIG-IP:

1. Install the add-on
2. Prepare your F5 BIG-IP servers so that the Splunk platform can collect data from them.
3. Prepare F5 servers for telemetry streaming
4. Configure the modular inputs for the add-on so that it can collect the iControl data you want from the F5 BIG-IP servers, at the level of granularity you specify.
5. Obtain syslog data for the Splunk Add-on for F5 BIG-IP if you want to collect event data, APM logs, or ASM logs from your F5 servers.

Ended: Overview

Installation and Configuration

Install the Splunk Add-on for F5 BIG-IP

1. Get the Splunk Add-on for F5 BIG-IP by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
2. Determine where and how to install this add-on in your deployment using the following tables on this page.
3. Perform any prerequisite steps before installing, if required and specified in the following tables.
4. Complete your installation.

If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthroughs section for links to installation instructions specific to a single-instance deployment, distributed deployment, Splunk Cloud, or Splunk Light.

Prepare F5 servers to connect to the Splunk platform

Use the BIG-IP system browser-based Configuration Utility or the command line tools that are provided to set up your environment. For specific instructions on how to configure the F5 BIG-IP servers, see F5 BIG-IP Systems documentation on the F5 Support Website, https://support.f5.com/kb/en-us/products.html.

Configure F5 for Telemetry Streaming

Telemetry Streaming is the best way to send all module logs in the JSON format to the HEC endpoint, except for DNS, which is not supported. Telemetry Streaming is compatible with BIG-IP versions 13.0 and later. For more information, learn how to Prepare F5 servers for telemetry streaming

Configure F5 for syslog with SC4S

The best method for getting syslog data into the Splunk platform for production deployments is Splunk Connect For Syslog. This solution provides improved simplicity and scalability, among other benefits. For more information, see Splunk Connect for Syslog.

Configure F5 for HSL

Configure iRules on the F5 servers to enable them to send traffic data as HSL through the F5 device to the Splunk platform. Configuring iRules does not impact system settings or traffic controls on your F5 server. The iRules collect and send metadata to the Splunk platform.

Using the Configuration utility, create a Pool for HSL and add it to the Local Traffic Pool List in the F5 BIG-IP system using service port 9514, the IP address of your Splunk server, a Node Name (splunk-node), and a pool name (Pool-syslog).

Configure Logging Levels for APM logs

After you have configured the remote logging server, configure the log levels for your Access Policy log in the Configuration Utility. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.

Configure iRules for LTM

Configure iRules on the F5 server for the local traffic management system so that you can send local traffic data through the F5 device to the Splunk platform. iRules enable you to search on any type of data that you define.

Use the Configuration utility to create an iRule, Splunk_HTTP, to add to the iRules list of the local traffic manager (LTM). In version 11.6.5 and above, perform this configuration here: Local Traffic > iRules > iRule List

Copy the iRule data provided in the iRule_http example in the table below into the definition section for the new iRule. Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send traffic events to the Splunk platform. Add the iRule to the list of resources to be managed for this virtual server.

iRule_http example

iRule - irule_http

Description - This rule collects and sends http(s) traffic data and lb_faild event data to the Splunk platform. A load balancing failure triggers this event.

Example -

when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length,res_start_time=$res_start_time,node=$node,node_port=$node_port,http_status=$http_status,req_elapsed_time=$req_elapsed_time,bytes_out=$res_length\r\n"
}
when LB_FAILED {
    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=$client_address,vip=$vip,http_method=$http_method,http_host=$http_host,http_uri=$http_uri,http_url=$http_url,http_version=$http_version,http_user_agent=\"$http_user_agent\",http_content_type=$http_content_type,http_referrer=\"$http_referrer\",req_start_time=$req_start_time,cookie=\"$cookie\",user=$user,virtual_server=\"$virtual_server\",bytes_in=$req_length\r\n"
}

Configure iRules for BIG-IP DNS (BIG-IP GTM)

Configure iRules on F5 BIG-IP DNS (BIG-IP GTM prior to version 12.0.0) devices so that you can send global traffic data to the Splunk platform. iRules enable you to search on any type of data that you define. Telemetry Streaming and DNS are NOT compatible.

Create Splunk_DNS_REQUEST

Use the Configuration utility to create an iRule, Splunk_DNS_REQUEST, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to 12.0.0). In version 11.6.5 and above, perform this configuration here: DNS > GSLB > iRules.

Add the data definition for the iRule, Splunk_DNS_REQUEST, to the iRule properties. Copy the iRule data provided in the irule_dns_request example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_REQUEST, to existing listeners. These listeners alert GTM to DNS traffic destined for the system. Add the iRule, Splunk_DNS_REQUEST, to the list of resources to be managed for this listener.

irule_dns_request example

iRule - irule_dns_request

Description - The system triggers the iRule to send data when it receives a DNS parsing request.

Example -

when DNS_REQUEST {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set question_class [DNS::question class]
    set question_type [DNS::question type]
    set data_center [whereami]
    set geo_information [join [whereis $client_addr] ;]
    set gtm_server [whoami]
    set wideip [wideip name]
    set dns_len [DNS::len]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,src_geo_info=$geo_information,question_name=$question_name,question_class=$question_class,question_type=$question_type,data_center=$data_center,gtm_server=$gtm_server,wideip=$wideip,dns_len=$dns_len\r\n"
}

Create Splunk_DNS_RESPONSE

Use the Configuration utility to create an iRule, Splunk_DNS_RESPONSE, and add it to the iRule list in the BIG-IP DNS (called BIG-IP GTM prior to version 12.0.0). In version 11.6.5 and above, perform this configuration here: Local Traffic > iRules > iRule List.

Add the data definition for the iRule, Splunk_DNS_RESPONSE, to the iRule properties. Copy the iRule data provided in the irule_dns_response example in the table below into the definition section for the new iRule. Apply the iRule, Splunk_DNS_RESPONSE, to an existing wide IP in the GSLB wide IP list.

irule_dns_response example

iRule - irule_dns_response

Description - The system triggers the iRule to send data when it replays to a client with the DNS parsing result.

Example -

when DNS_RESPONSE {
    set client_addr [IP::client_addr]
    set dns_server_addr [IP::local_addr]
    set question_name [DNS::question name]
    set is_wideip [DNS::is_wideip [DNS::question name]]
    set answer [join [DNS::answer] ;]

    set hsl [HSL::open -proto UDP -pool Pool-syslog]
    HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=$client_addr,dns_server_ip=$dns_server_addr,question_name=$question_name,is_wideip=$is_wideip,answer=\"$answer \"\r\n"
}

Configure F5 Logging Profiles for ASM

In order to collect data from F5 BIG-IP ASM, you need to add a logging profile in the F5 BIG-IP Configuration Utility. Create a new logging profile with a Profile Name of Logging Profile for Splunk and enable Application Security. Use the information in the table below to configure the profile. For the Storage Filter information, select AND for Logic Operation and All for Protocols, Response Status Codes, HTTP Methods, and Request Containing String.

Protocol - TCP

Server Addresses - Enter the IP addresses of your Splunk forwarders or your Splunk platform single instance. Add the default port of 9515, unless you want to configure a different port. If you do, you also need to configure a different port in inputs.conf

Storage format - Select User-Defined, then enter the storage format definition that matches your version of F5 BIG-IP. Note that the storage format is also defined in the F5 Big IP documentation: https://support.f5.com/csp/article/K5903

For F5 BIG-IP 13.1.0 - 17.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",blocking_exception_reason="%blocking_exception_reason%",client_type="%client_type%",credential_stuffing_lookup_result="%credential_stuffing_lookup_result%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,device_id="%device_id%",enforced_by="%enforced_by%",enforcement_action="%enforcement_action%",epoch_time="%epoch_time%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,login_result="%login_result%",manage_ip_addr=%management_ip_address%,method="%method%",mobile_application_name="%mobile_application_name%",mobile_application_version="%mobile_application_version%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",protocol_info="%protocol_info%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",threat_campaign_names="%threat_campaign_names%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

For F5 BIG-IP 11.6.0 - 12.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

For F5 BIG-IP 11.1.0 - 11.5.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",ip_client=%ip_client%,method="%method%",policy_name="%policy_name%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",sub_violates="%sub_violations%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violations="%violations%",virus_name="%virus_name%"

For F5 BIG-IP 10.1.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%"

Maximum Entry Length - 64K

For more information about the storage formats provided here, see Storage format reference

Prepare F5 servers for Telemetry Streaming

To prepare F5 servers for Telemetry Streaming:

• Set up the Telemetry Streaming Consumer.
• Forward F5 BIG-IP logs to Splunk.
• Use versions 13.1 or later of F5 Big-IP. Telemetry Streaming is only compatible with versions 13.1 or later of F5 BIG-IP.

Access the F5 documentation for examples of the SystemInfo data you’ll receive when using Telemetry Streaming.

Set up Telemetry Streaming Consumer

1. Create HEC input on your Splunk instance: https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/UsetheHTTPEventCollector
2. Install Telemetry Streaming package into F5 BIG-IP. For more information, see the F5 BIG-IP documentation
3. Enter this declaration in your API client for the F5 BIG IP Telemetry Streaming configuration request.

JSON Data for Telemetry Streaming configuration:

{
    "class": "Telemetry",
    "My_System": {
        "class": "Telemetry_System",
        "systemPoller": {
            "interval": <INTERVAL>
        }
    },
    "My_Listener": {
        "class": "Telemetry_Listener",
        "port": 6514
    },
    "My_Consumer": {
        "class": "Telemetry_Consumer",
        "type": "Splunk",
        "host": <Splunk_IP>,
        "protocol": "http",
        "port": 8088,
        "passphrase": {
            "cipherText": "<HEC_TOKEN>"
        },
       "allowSelfSignedCert": "true"
    }
}

Setting “allowSelfSignedCert”: “true” allows the F5 server to stream data to Splunk over an insecure connection. However, if the user has their own certificates in the CA store, the connection from the F5 server to Splunk will be secured using those certificates. Therefore, it will not be necessary to disable the global EnableSSL setting for HEC

As you enter this data:

1. Replace INTERVAL with actual data collection interval value for example: 60
2. Replace HEC_TOKEN with HEC token value of HEC input with created at step 1.
3. Use 6514 as the local telemetry streaming listener.
4. Replace Splunk_IP with IP address of Splunk where the event should get collected.
5. Enter 255.255.255.254 as the virtual server ip address to configure logging using either AS3 or TMSH.

Splunk should start receiving SystemInfo data after these steps

Forward F5 BIG-IP logs to Splunk

1. Configure the remote server from System > Logs > Configuration > Remote Logging. Example: Remote IP: 127.0.0.1 and Remote Port: 6514
2. Forward F5 BIG-IP LTM network traffic events to Splunk.
   • Create an iRule and copy the iRule data provided in the Splunk_HTTP_TS example in the table below into the definition section for the new iRule.
   • Configure a virtual server to reference the iRule. This is the local virtual server in the BIG-IP system from which you want to send events to the Splunk platform.
   • Add the recently created iRule to the list of resources to be managed for this virtual server.

Name - Splunk_HTTP_TS

Definition -

when CLIENT_ACCEPTED {
    set client_address [IP::client_addr]
    set vip [IP::local_addr]
}
when HTTP_REQUEST {
    set http_host [HTTP::host]:[TCP::local_port]
    set http_uri [HTTP::uri]
    set http_url $http_host$http_uri
    set http_method [HTTP::method]
    set http_version [HTTP::version]
    set http_user_agent [HTTP::header "User-Agent"]
    set http_content_type [HTTP::header "Content-Type"]
    set http_referrer [HTTP::header "Referer"]
    set tcp_start_time [clock clicks -milliseconds]
    set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set cookie [HTTP::cookie names]
    set user [HTTP::username]
    set virtual_server [LB::server]

    if { [HTTP::header Content-Length] > 0 } then {
        set req_length [HTTP::header "Content-Length"]
    } else {
        set req_length 0
    }
}
when HTTP_RESPONSE {
    set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
    set node [IP::server_addr]
    set node_port [TCP::server_port]
    set http_status [HTTP::status]
    set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
    if { [HTTP::header Content-Length] > 0 } then {
        set res_length [HTTP::header "Content-Length"]
    } else {
        set res_length 0
    }
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\",res_start_time=\"$res_start_time\",node=\"$node\",node_port=\"$node_port\",http_status=\"$http_status\",req_elapsed_time=\"$req_elapsed_time\",bytes_out=\"$res_length\""
}
when LB_FAILED {
    set hsl [HSL::open -proto TCP -pool telemetry]
    HSL::send $hsl "src_ip=\"$client_address\",vip=\"$vip\",http_method=\"$http_method\",http_host=\"$http_host\",http_uri=\"$http_uri\",http_url=\"$http_url\",http_version=\"$http_version\",http_user_agent=\"$http_user_agent\",http_content_type=\"$http_content_type\",http_referrer=\"$http_referrer\",req_start_time=\"$req_start_time\",cookie=\"$cookie\",user=\"$user\",virtual_server=\"$virtual_server\",bytes_in=\"$req_length\""
}

Forward F5 BIG-IP ASM events to Splunk

Configure F5 Logging Profiles for ASM using the details below. If you are already collecting the LTM data, then don’t select All requests for the Request Type, as LTM already logs all the network traffic events.

Protocol - TCP

Server Addresses - The address of the server and the port. 255.255.255.254:6514

Storage Format -

attack_type="%attack_type%",date_time="%date_time%",dest_ip="%dest_ip%",dest_port="%dest_port%",geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client="%ip_client%",ip_route_domain="%ip_with_route_domain%",is_trunct="%is_truncated%",manage_ip_addr="%management_ip_address%",method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Forward F5 BIG-IP APM events to Splunk

1. Create a new logging profile with Logging Profile for Splunk as the Profile Name.
2. Associate this logging profile with the Access Policy.
3. Change the logging verbosity for your APM logs to suit your needs. The default log level for APM is Notice, but this does not log session variables, which may be useful for troubleshooting.

Configure the modular inputs for the Splunk Add-on for F5 BIG-IP

The Splunk Add-on for F5 BIG-IP collects performance data (system settings, server performance, and traffic statistics data) for F5 BIG-IP servers from iControl APIs over the network using a modular input. You can configure this input using Splunk Web on your heavy forwarder. The Add-on uses Telemetry Streaming Custom Endpoints to perform the data collection. You must use Telemetry Streaming version 1.23 or higher to collect data using the add-on.

1. Be sure to open port 443 to allow F5 BIG-IP to communicate with the modular input.
2. From Splunk Web home, click Apps. The App manager page appears.
3. In the row for Splunk Add-on for F5 BIG-IP, click Launch app. The add-on configuration UI appears.

You can now configure inputs using the Inputs tab. Configuring the inputs Of the add-on involves establishing connections to external servers and selecting templates that define the data you collect from the servers.

Configure servers

1. Go to Configuration > Server to add F5 BIG-IP server configurations to the Splunk platform.
2. Click Add to add a new server configuration.
3. The server profile is saved in $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/f5_servers.conf
4. Enter a server Name to identify the server. Acceptable characters are a-z, A-Z, 0-9 or “_”.
5. (optional) Enter a Description for the server.
6. Type a URL in the Host field. This is the IP address or hostname of the F5 BIG-IP server, and can include port information. The Splunk platform connects to the server using https.
7. Enter the Username and Password for the F5 BIG-IP server and confirm the password in the Confirm Password field. The Splunk platform uses these credentials to collect data using the iControl API. Splunk encrypts the password and stores the account information in $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/passwords.conf The username you provide must be created in the Common partition and must have permission to access all the partitions from which you are collecting data. You can use only one F5 BIG-IP user to collect data from a single F5 BIG-IP server. In other words, multiple user accounts cannot be used to collect data from any F5 BIG-IP server. In the future, when a user makes modifications using the Add-on, he needs to re-enter the password.
8. (optional) Enter a value for the Data Collection Interval. This is how often the Splunk platform polls the F5 server to collect data. If you do not enter a value, the server uses the Polling Interval configured in inputs. The value specified here overrides the Polling Interval specified in the input. However, the interval specified in a template overrides the interval set for the server. The order of precedence for the interval setting is template, server, then input.
9. Click Add to create the server profile. If your information is authenticated successfully, the add-on saves the server profile. If you have entered incorrect credentials or an incorrect URL, an error message appears on the dialog box. If you see such a message, verify the information you have entered and try again.
10. By default, the API calls will be made using SSL verification. If you want to disable SSL verification, you can set the parameter to enable_ssl = 0 under stanza [ssl_verify] in $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/splunk_ta_f5_settings.conf

Repeat this procedure to configure all servers from which you want to collect data.

Now that you have configured your servers when you create an input, the servers will be available for you to include as part of the input.

Manage templates

A template defines the data that you want to collect from F5 BIG-IP devices and the collection mechanism for the data. The Splunk Add-on for F5 BIG-IP includes several predefined templates that you can use to collect data. To view these, go to Configuration > Template. The Templates page appears listing all templates defined in the add-on.

Creating a new template is an advanced task and requires you to have knowledge of F5 iControl APIs. For more information about creating templates, see Create new templates for the Splunk Add-on for F5 BIG-IP in the Reference section of this manual.

Create inputs

Inputs are actions to get data. Inputs look at a server or set of servers and a data collection template and poll the F5 BIG-IP servers at regular intervals to get the data into the Splunk platform.

For optimal results, assign no more than two F5 BIG-IP servers to an input and assign only one input to monitor each server.

1. Go to Inputs. The Manage F5 Inputs page appears listing all inputs defined in the add-on.
2. Click Create New Input to create a new input.
3. Provide an input Name. Acceptable characters are a-z, A-Z, 0-9 or “_”.
4. (optional) Enter a Description for the input.
5. Click Servers to select one or more servers from which you want to collect data.
6. Click Templates to select one or more templates that describe the data you want to collect.
7. Provide Polling Interval (in seconds) to set the data collection for the input. The add-on, by default, collects data from F5 servers for each input every 300 seconds. The interval setting determines the granularity of the data returned. The more often you collect data, the more detail you see from your data. If you specified a data collection interval when you configured your servers, that interval setting overrides the interval setting at the input level.
8. Enter a HEC Token name to collect the data for the configured templates. For more information, see Creating a HEC Token. The user needs to make sure that the HEC Token is created in the Splunk_TA_f5-bigip context. For that, the user will have to navigate to the Settings > Data Inputs from the Splunk_TA_f5-bigip add-on.
9. Enter the Splunk Host to collect the data for a particular Splunk Instance.
10. Click Add to create the input. The Splunk add-on for F5 BIG-IP creates the input, adds it to the list of scheduled inputs, and enables it by default. To disable the input at any time, click Disabled in the row for that input.

Validate data collection

The Splunk add-on for F5 BIG-IP polls the F5 BIG-IP servers, at regular intervals, for the data you want to collect. To verify that the add-on is getting data into the Splunk platform, use the Search app to search based on source type.

If you do not see data coming into the Splunk platform from your F5 BIG-IP servers, see Troubleshoot the Splunk Add-on for F5 BIG-IP.

Note: The add-on also collects APM logs and system events from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514 and logs from ASM over the network on TCP port 9515. For more information about these inputs, see Configure UDP and TCP inputs for the Splunk Add-on for F5 BIG-IP.

Obtain syslog data for the Splunk Add-on for F5 BIG-IP

The best method for getting syslog data into the Splunk platform for production deployments is Splunk Connect For Syslog. This solution provides improved simplicity and scalability, among other benefits. For more information, see Splunk Connect for Syslog.

The Splunk Add-on for F5 BIG-IP collects APM logs and system events (package filter events, audit configuration events, local and global traffic events, and application traffic data) from F5 BIG-IP servers from HSL via iRules and System logs over the network on UDP port 9514. The add-on also collects logs from ASM over the network on TCP port 9515.

Manually enable UDP and TCP inputs

You can also use the following manual configuration in development environments. The source type on the network is f5:bigip:syslog. During index time, the add-on separates the data into more specific source types.

The ports used by the add-on must match the ports you specified when you configured F5 BIG-IP for logging. You must enable these inputs using either Splunk Web on your heavy forwarder or by manually editing the inputs.conf file.

To manually enable the UDP and TCP inputs in inputs.conf:

1. Create an inputs.conf file in the add-on local folder.

• $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local on Unix-based systems.
• %SPLUNK_HOME%\etc\apps\Splunk_TA_f5-bigip\local on Windows systems.

2. Copy the following two stanzas into your local inputs.conf file:

   [udp://9514]
   disabled = false
   connection_host=ip
   sourcetype = f5:bigip:syslog
   
   [tcp://9515]
   disabled = false
   connection_host=ip
   sourcetype = f5:bigip:syslog
   

3. Change the values for [udp://9514] and [tcp://9515] to custom port numbers if you used different ports on your F5 server.
4. Restart the Splunk platform.

Enable UDP and TCP inputs using Splunk Web

To enable the UDP and TCP port in Splunk Web:

1. Log into Splunk Web on your data collection node.
2. Navigate to Settings, Data inputs.

To collect data using TCP:

1. Click TCP then click New Local TCP in the top-right corner.
2. Enter 9515 in the Port field and click Next.
3. Select f5:bigip:syslog as the Source Type.
4. Select Splunk Add-on for F5 BIG-IP (Splunk_TA_f5-bigip) as the App Context.
5. Select IP as the Method and click Review.
6. Click Submit.

To collect data using UDP:

1. Click UDP then click New Local UDP in the top-right corner.
2. Enter 9514 in the Port field and click Next.
3. Select f5:bigip:syslog as the Source Type.
4. Select Splunk Add-on for F5 BIG-IP (Splunk_TA_f5-bigip) as the App Context.
5. Select IP as the Method and click Review.
6. Click Submit.

Note: If you configured different port numbers on the F5 BIG-IP server, then enter the custom port numbers as shown above.

You do not need to restart the Splunk platform if you make these configuration changes in Splunk Web.

Ended: Installation and Configuration

Reference

Create new templates for the Splunk Add-on for F5 BIG-IP

Creating a new template is an advanced task and requires you to have knowledge of F5 iControl APIs. The Splunk Add-on for F5 Big-IP collects the data for the iControl API using Telemetry Streaming. Telemetry Streaming uses a REST API to collect the data for the iControl APIs. For more information about the iControl REST API, you can refer to the following documentation: iControl REST. From here, the user can identify the REST API call for a metric and collect the data for it by creating a custom template or by using the existing templates.

Create a new template

1. Go to Configuration > Template. The templates configuration page appears listing all templates defined in the app.
2. Click Add to create a new template.
3. The template information is saved in $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/f5_templates_ts.conf.
4. Provide a template Name. Acceptable characters are a-z, A-Z, 0-9 or “_”.
5. (optional) Enter a Description for the template.
6. Provide Content. The content must follow the format of the Middle Language Template for F5 BIG-IP iControl APIs. See “Template record format,” below.
7. Click Add.

The templates you create display in the Input list when you create inputs.

Template definition

The template definition provided in this add-on is a flexible configuration script.

Template record format

<API Name>,<API Call>,<Interval>

<API Name>	API Name is the name of the key under which the response for the associated API Call. Refer to these examples for further clarification. You must specify this parameter in the template.
<API Call>	The REST API endpoint for which you want to collect the data using Telemetry Streaming. You can find the REST endpoint from the F5 documentation.
interval <interval value>	This is an integer value that specifies how often (in seconds) to return the data for a particular API call. Note that the interval value specified here takes precedence over the interval specified in the server or the input.

Template examples

ltmVirtualAddressStats,/mgmt/tm/ltm/virtual-address/stats,60

{"ltmVirtualAddressStats"{"/Common/10.0.0.0/stats":'''{"addr":"10.0.0.0","clientside.bitsIn":0,"clientside.bitsOut":0,"clientside.curConns":0,"clientside.maxConns":0,"clientside.pktsIn":0,"clientside.pktsOut":0,"clientside.totConns":0,"tmName":"/Common/10.0.0.0","status.availabilityState":"unknown","status.enabledState":"enabled","status.statusReason":"The children virtual server(s) either don't have service checking enabled, or service check results are not available yet"},"/Common/Shared/10.0.0.1/stats":{"addr":"10.0.0.1","clientside.bitsIn":0,"clientside.bitsOut":0,"clientside.curConns":0,"clientside.maxConns":0,"clientside.pktsIn":0,"clientside.pktsOut":0,"clientside.totConns":0,"tmName":"/Common/Shared/10.0.0.1","status.availabilityState":"unknown","status.enabledState":"enabled","status.statusReason":"The children virtual server(s) either don't have service checking enabled, or service check results are not available yet"}},"system":{"hostname":"xyz"},"telemetryServiceInfo":{"pollingInterval":60,"cycleStart":"2022-03-03T19:21:37.871Z","cycleEnd":"2022-03-03T19:21:39.499Z"},"telemetryEventCategory":"systemInfo"}

manUser,/mgmt/tm/auth/user

{"manUser":{"items":[{"kind":"tm:auth:user:userstate","name":"admin","fullPath":"admin","generation":1,"selfLink":"https://localhost/mgmt/tm/auth/user/admin?ver=16.1.0","description":"Admin User","encryptedPassword":"$1$salt$IEd.dPRrJY41NWqqeABCW2","sessionLimit":-1,"partitionAccess":[{"name":"all-partitions","role":"admin","nameReference":{"link":"https://localhost/mgmt/tm/auth/partition/all-partitions?ver=16.1.0"}}]}]},"system":{"hostname":"xyz"},"telemetryServiceInfo":{"pollingInterval":300,"cycleStart":"2022-03-03T19:24:10.138Z","cycleEnd":"2022-03-03T19:24:12.211Z"},"telemetryEventCategory":"systemInfo"}

netInterface,/mgmt/tm/net/interface

{"netInterface":{"items":[{"kind":"tm:net:interface:interfacestate","name":"1.0","fullPath":"1.0","generation":45,"selfLink":"https://localhost/mgmt/tm/net/interface/1.0?ver=16.1.0","bundle":"not-supported","bundleSpeed":"not-supported","enabled":true,"flowControl":"tx-rx","forceGigabitFiber":"disabled","forwardErrorCorrection":"not-supported","ifIndex":48,"lacpPortPriority":32786,"linkTrapsEnabled":"true","lldpAdmin":"txonly","lldpTlvmap":130943,"macAddress":"00:00:16:0f:q9:2e","mediaActive":"10000T-FD","mediaFixed":"10000T-FD","mediaMax":"auto","mediaSfp":"auto","mtu":1500,"portFwdMode":"l3","preferPort":"sfp","qinqEthertype":"0x8100","sflow":{"pollInterval":0,"pollIntervalGlobal":"yes"},"stp":"enabled","stpAutoEdgePort":"enabled","stpEdgePort":"true","stpLinkType":"auto"},{"kind":"tm:net:interface:interfacestate","name":"mgmt","fullPath":"mgmt","generation":64,"selfLink":"https://localhost/mgmt/tm/net/interface/mgmt?ver=16.1.0","bundle":"not-supported","bundleSpeed":"not-supported","enabled":true,"flowControl":"tx-rx","forceGigabitFiber":"disabled","forwardErrorCorrection":"not-supported","ifIndex":32,"lacpPortPriority":32786,"linkTrapsEnabled":"true","lldpAdmin":"txonly","lldpTlvmap":130943,"macAddress":"00:00:16:1f:19:1e","mediaActive":"100TX-FD","mediaFixed":"auto","mediaSfp":"auto","mtu":1500,"portFwdMode":"l3","preferPort":"sfp","qinqEthertype":"0x8100","sflow":{"pollInterval":0,"pollIntervalGlobal":"yes"},"stp":"enabled","stpAutoEdgePort":"enabled","stpEdgePort":"true","stpLinkType":"auto"}]},"system":{"hostname":"bigip1"},"telemetryServiceInfo":{"pollingInterval":300,"cycleStart":"2022-03-03T19:20:33.580Z","cycleEnd":"2022-03-03T19:20:35.112Z"},"telemetryEventCategory":"systemInfo"}

oneConnectStats,/mgmt/tm/ltm/profile/one-connect/stats

{"oneConnectStats":{"/Common/oneconnect/stats":{"connects":0,"curSize":0,"maxSize":0,"tmName":"/Common/oneconnect","reuses":0,"typeId":"ltm profile one-connect","vsName":"N/A"}},"system":{"hostname":"xyz"},"telemetryServiceInfo":{"pollingInterval":300,"cycleStart":"2022-03-03T19:24:46.383Z","cycleEnd":"2022-03-03T19:24:47.276Z"},"telemetryEventCategory":"systemInfo"}

Storage format reference for the Splunk Add-on for F5 BIG-IP

If you use the Splunk Add-on for F5 BIG-IP to collect data from ASM, you need to set up a Logging Profile and configure a storage format that matches your version of F5 BIG-IP, as described in Prepare F5 servers to connect to the Splunk platform.

Splunk has three predefined storage formats for the three different versions of F5 BIG-IP.

Storage format for F5 BIG-IP 11.6.0 - 12.0.0:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class_name%",ip_addr_intelli="%ip_address_intelligence%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",is_trunct=%is_truncated%,manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violate_rate="%violation_rating%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Storage format for F5 BIG-IP 11.1.0 - 11.5.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",http_class="%http_class%",ip_addr_intelli="%ip_reputation%",ip_client=%ip_client%,ip_route_domain="%ip_with_route_domain%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp="%response%",resp_code="%response_code%",route_domain="%route_domain%",session_id="%session_id%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",sub_violates="%sub_violations%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",username="%username%",violate_details="%violation_details%",violations="%violations%",virus_name="%virus_name%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

Storage format for F5 BIG-IP 10.1.x:

f5_asm=Splunk-F5-ASM,attack_type="%attack_type%",date_time="%date_time%",dest_ip=%dest_ip%,dest_port=%dest_port%,geo_info="%geo_location%",headers="%headers%",manage_ip_addr=%management_ip_address%,method="%method%",policy_apply_date="%policy_apply_date%",policy_name="%policy_name%",protocol="%protocol%",query_str="%query_string%",req="%request%",req_status="%request_status%",resp_code="%response_code%",severity="%severity%",sig_ids="%sig_ids%",sig_names="%sig_names%",src_port="%src_port%",support_id="%support_id%",unit_host="%unit_hostname%",uri="%uri%",violations="%violations%",x_fwd_hdr_val="%x_forwarded_for_header_value%"

You can use these storage format definitions as they are. The table below describes how the original message names in F5 BIG-IP map to field names in the Splunk platform. This mapping is designed to minimize the storage format length due to limits in the BIG-IP configuration. Not all message names are included in the predefined storage formats due to F5’s storage format length limitation. Change the storage format in F5 BIG-IP if you want to get more messages.

Format String Version	Field Name in Splunk	Message Name in F5 Big-IP	Description
v11.6 v11.1 v10.1	attack_type	attack_type	List of comma separated names of suspected attacks identified in a transaction. Available in BIG-IP 10.1.0 and later.
v11.6 v11.1 v10.1	date_time	date_time	The date and time information reported in the following format: YYYY-MM-DD HH:MM:SS This is the same format that is used in the Request page within the Configuration utility. Available in BIG-IP 10.0.0 and later.
v11.6 v11.1 v10.1	dest_ip	dest_ip	IP address of the virtual server. Available in BIG-IP 10.1.0 and later.
v11.6 v11.1 v10.1	dest_port	dest_port	The port used on the BIG-IP ASM local virtual server. Available in BIG-IP 10.1.0 and later.
v11.6 v11.1 v10.1	geo_info	geo_location	A string indicating the geographic location from which the request originated. Available in BIG-IP 10.1.0 and later.
v11.6 v11.1 v10.1	headers	headers	Request headers. This option is removed if the request option is selected because the request option automatically includes the request headers.
v11.6 v11.1	http_class	http_class_name	The http_class_name option returns the name of the virtual server the security policy is attached to in BIG-IP 11.3.0 and later. In BIG-IP 11.1.0 through 11.2.1, this option provides the name of the http_class profile the security policy is attached to.
v11.6 v11.1	ip_addr_intelli	ip_address_intelligence / ip_reputation	Logs the IP Intelligence information for the requesting client’s IP Address. Requires an active IPI subscription for meaningful results. Available in BIG-IP 11.2.0 through 11.2.1 as ip_reputation. In BIG-IP 11.3.0 and later, it is renamed as ip_address_intelligence.
v11.6 v11.1	ip_client	ip_client	Source IP of the client originating the request (Note: if a proxy is being used, this may differ from the IP in the X-forwarded-for header). Available in BIG-IP 10.2.0 and later.
v11.6 v11.1	ip_route_domain	ip_with_route_domain	Source IP of the client originating the request with the Route Domain suffix appended. Available in BIG-IP 11.1.0 and later.
v11.6	is_trunct	is_truncated	Returns truncated if a request is truncated in ASM’s logging. Available in BIG-IP 11.6.0 and later.
v11.6 v11.1 v10.1	manage_ip_addr	management_ip_address	This option logs the BIG-IP ASM management IP address. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later.
v11.6 v11.1 v10.1	method	method	The method of request. For example, GET, POST, HEAD.
v11.6 v11.1 v10.1	policy_apply_date	policy_apply_date	The date the BIG-IP ASM policy was applied. This option is useful for tracking policy changes; available in BIG-IP 9.4.5 and later.
v11.6 v11.1 v10.1	policy_name	policy_name	The name of the BIG-IP ASM policy for which the violation was triggered; available in BIG-IP 9.4.5 and later.
v11.6 v11.1 v10.1	protocol	protocol	The protocol used, HTTP or HTTPS if terminating SSL on the BIG-IP ASM.
v11.6 v11.1 v10.1	query_str	query_string	The query string or query parameters found at the end of the URI.
v11.6 v11.1 v10.1	req	request	The entire request including headers, query string, and data. When this option is selected, the headers option is removed from this list as it is automatically included.
v11.6 v11.1 v10.1	req_status	request_status	The status of client request made to Web Application as assigned by the BIG-IP ASM.The possible values reported by this option are the following:blocked - The request was blocked due to a violation encountered. A blocking response page was returned to the client.alerted - The request contain violations but does not blocked (Typical in cases where the enforcement mode is set to transparent)passed - successful request with no any violationsThis option replaces the request_blocked option, available in BIG-IP 10.0.0 and later.
v11.6 v11.1	resp	response	Returns the full response from the web server. If using UDP logging, a large response may be truncated, and any remote logging fields specified after the responseoption will not be present in the data sent to the remote logging server. Response Logging must be Enabled or this will return an empty string. Available in BIG-IP 11.1.0 and later.
v11.6 v11.1 v10.1	resp_code	response_code	The response code returned by the server.
v11.6 v11.1	route_domain	route_domain	Returns the Route Domain the Client IP is requesting in. Available in BIG-IP 11.1.0 and later.
v11.6 v11.1	session_id	session_id	Returns the Session Identification Number of the request. This is a number internally assigned to all sessions for violation collation by the BIG-IP ASM. Available in BIG-IP 11.1.0 and later.
v11.6 v11.1 v10.1	severity	severity	The severity level of the detected violation.
v11.6 v11.1 v10.1	sig_ids	sig_ids	Signature ID value of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later.
v11.6 v11.1 v10.1	sig_names	sig_names	Signature name of the matching signature that resulted in the violation. Available in BIG-IP 10.0.0 and later.
v11.6 v11.1 v10.1	src_port	src_port	The source port of the client. Available in BIG-IP 10.1.0 and later.
v11.6 v11.1	sub_violations	sub_violations	Refers to the sub-violations detected under the ‘HTTP protocol compliance failed’ and the ‘Evasion technique detected’ violations. Available in BIG-IP 10.2.0 and later.
v11.6 v11.1 v10.1	support_id	support_id	The support ID is reported when a violation is triggered; available in BIG-IP 9.4.5 and later.
v11.6 v11.1 v10.1	unit_host	unit_hostname	The hostname of the BIG-IP ASM. This option is useful if multiple BIG-IP ASM systems within the network are logging to the same syslog server; available in BIG-IP 9.4.5 and later.
v11.6 v11.1 v10.1	uri	uri	The URI or Uniform Resource Identifier of the request.
v11.6 v11.1	username	username	Displays the username that sent the request, if a username is associated with the session. Displays N/A if the username is not available to the system. Available in BIG-IP 11.1.0 and later.
v11.1 v10.1	violations	violations	Any violation that occurs due to a clients request.
v11.6 v11.1	violation_details	violation_details	In version 10.2.x specifies the virus found in conjunction with the ‘Virus detected’ violation. In version 11.x specifies complete violation details in XML.
v11.6	violate_rate	violation_rating	Returns the Severity Rating for any violations logged. Available in BIG-IP 11.6.0 and later.
v11.6 v11.1	virus_name	virus_name	Specifies the virus found in conjunction with the ‘Virus detected’ violation. Available in BIG-IP 11.0.0 and later.
N/A	web_application_name	web_application_name	The name of the Web Application that handled the request. This option is no longer available beginning in BIG-IP 11.1.0.
v11.6 v11.1 v10.1	x_fwd_hdr_val	x_forwarded_for_header_value	X-Forwarding header information. This option is commonly used when proxies are involved to track the originator of the request; available in BIG-IP 9.4.5 and later.

Lookups for the Splunk Add-on for F5 BIG-IP

The Splunk Add-on for F5 BIG-IP has six lookups. The lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/lookups.

File name	Description
f5_bigip_apm_syslog_action.csv	Contains datamodel_action against APM syslog action.
f5_bigip_apm_syslog_protocol.csv	Provides protocol against transport for APM syslog.
f5_bigip_icontrol_ha_states.csv	Maps get_failover_state to a boolean value failover_status to support the ITSI load balancer module.
f5_bigip_icontrol_availability_status.csv	Maps avl_status_string to a boolean value avl_status to support the ITSI load balancer module.
f5_bigip_category_value_action_lookup.csv	Provides action based on telemetryEventCategory and http_status for telemetry events.
f5_bigip_ltm_http_irule_action.csv	Contains action for http_status for f5:bigip:ltm:http:irule.

Source types for the Splunk Add-on for F5 BIG-IP

This add-on contains predefined source types that Splunk Enterprise uses to ingest incoming events and categorize these events for search.

The source types are based on the data sources that the add-on ingests. Many of the source types support data models in the Common Information Model and the ITSI Load Balancer module.

Data Sources	Data collection Method	sourcetype	eventtype/source	Datamodel compatibility
System log data	Syslog	f5:bigip:syslog	f5_bigip_syslog_pam_auth	None
			f5_bigip_syslog_audit_process	None
			f5_bigip_syslog_login_failed	None
			f5_bigip_user_authenticated	Authentication
			f5_bigip_syslog_connection_error	Network Traffic
APM Logs	Syslog	f5:bigip:apm:syslog	f5_bigip_apm_access_policy_result	None
			f5_bigip_apm_session_throughout_stat	None
			f5_bigip_apm_session_created	Network Sessions
			f5_bigip_apm_session_deleted	None
			f5_bigip_apm_acl_applied_result	Network Traffic
			f5_bigip_apm_username_received	None
			f5_bigip_apm_user_agent_received	None
			f5_bigip_apm_http_response_status	None
			f5_bigip_apm_following_rule_from_item	None
			f5_bigip_apm_following_rule	None
			f5_bigip_apm_following_rule_ending	None
			f5_bigip_apm_client_info_received	None
			f5_bigip_apm_assigned_ppp	Network Traffic
ASM Logs	Syslog	f5:bigip:asm:syslog	f5_bigip_asm_syslog	None
			f5_bigip_asm_syslog_attack	Intrusion Detection
High Speed Logging (HSL) using iRules	Syslog	f5:bigip:gtm:dns:request:irule	f5_bigip_gtm_dns_request_irule	[Network Resolution (DNS)[https://docs.splunk.com/Documentation/CIM/5.0.2/User/NetworkResolutionDNS]
		f5:bigip:gtm:dns:response:irule	f5_bigip_gtm_dns_response_irule	[Network Resolution (DNS)[https://docs.splunk.com/Documentation/CIM/5.0.2/User/NetworkResolutionDNS]
		f5:bigip:ltm:http:irule	f5_bigip_ltm_http_irule	Web
		f5:bigip:ltm:lb:failed:irule	None	None
Telemetry Streaming Data	Telemetry Streaming	f5:telemetry:json	source::f5:bigip:system	None
			source::f5:bigip:syslog	None
			eventtype=f5_bigip_avr_ts, source::f5:bigip:avr	Network Traffic
			eventtype=f5_bigip_ltm_http_irule_ts	Web
			eventtype=f5_bigip_afm_ts, source::f5:bigip:afm	Network Traffic
			eventtype=f5_bigip_asm_ts, source::f5:bigip:asm	Intrusion Detection
			source::f5:bigip:apm	None
Logs from RADIUS Authentication	Syslog	f5:bigip:secure	f5_bigip_user_authenticated	Authentication
SSL handshake failure	Syslog	f5:bigip:ltm:ssl:error	f5_bigip_ltm_ssl_handshake_failed	Network Traffic
iRule error - The BIG-IP system generates a Tool Command Language (Tcl) error, indicating the missing or incorrect element.	Syslog	f5:bigip:ltm:tcl:error	None	None
BIG-IP system packet errors -Error messages that occur when the BIG-IP system receives a significant number of packets that do not match existing connections to BIG-IP virtual servers, self IP addresses, or secure network address translations (SNATs).	Syslog	f5:bigip:ltm:traffic	None	None
HTTP server returns excessive data - Error messages that occur when the HTTP server has responded with more data than expected. It either is returning more data than indicated by the Content-Length header, or more data after the ending chunk in Chunked Encoded transfers.	Syslog	f5:bigip:ltm:log:error	None	None
iControl API data	Modular input	f5:telemetry:json (default)	None	None
		f5:bigip:ts:ltm:locallb:icontrol	None	None
		f5:bigip:ts:ltm:locallb:pool:icontrol	None	None
		f5:bigip:ts:system:systeminfo:icontrol	None	None
		f5:bigip:ts:gtm:globallb:pool:icontrol	None	None
		f5:bigip:ts:gtm:globallb:icontrol	None	None
		f5:bigip:ts:management:usermanagement:icontrol	None	None
		f5:bigip:ts:management:icontrol	None	None
		f5:bigip:ts:management:device:icontrol	None	None
		f5:bigip:ts:system:statistics:icontrol	None	None
		f5:bigip:ts:system:disk:icontrol	None	None
		f5:bigip:ts:networking:adminip:icontrol	None	None
		f5:bigip:ts:networking:icontrol	None	None
		f5:bigip:ts:networking:interfaces:icontrol	None	None

Supported Telemetry Modules

Source type	Telemetry Event Category	Source
F5:telemetry:json	APM	f5:bigip:apm
	ASM	f5:bigip:asm
	AVR	f5:bigip:avr
	LTM	f5:bigip:ltm
	syslog	f5:bigip:syslog
	AFM	f5:bigip:afm
	systeminfo	f5:bigip:system

ES and ITSI support for the Splunk Add-on for F5 BIG-IP

Logging Method	Configuration Guideline	Event Detail	F5 Module	ES and ITSI Support
Syslog	Configure F5 for Syslog	F5 BIG-IP System/Service events (APM logs are included in the service logs) collected using Syslog	F5 System	ES
			APM	ES
HSL	Configure iRules for LTM	LTM network traffic events using iRule collected using HSL	LTM	ES, ITSI
	Configure iRules for BIG-IP DNS (BIG-IP GTM)	DNS traffic events using iRule (i.e DNS query and response events) collected using HSL	GTM	-
	Configure F5 Logging Profiles for ASM	ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using HSL	ASM	ES
Telemetry Streaming	Prepare F5 servers for telemetry streaming	F5 BIG-IP APM logs collected using Telemetry Streaming	APM	-
		LTM network traffic events using iRule collected using Telemetry Streaming	LTM	ES
		F5 BIG-IP System statistics events collected using Telemetry Streaming	F5 System	-
		ASM events using logging profile (e.x. SQL Injection requests, malicious requests, etc.) collected using Telemetry Streaming	ASM	ES
		F5 BIP-IP System logs (Syslog) collected using Telemetry Streaming	F5 System	-
		F5 BIG-IP performance and system statistics of the Virtual servers(VIPs)	AVR	ES

Ended: Reference

Troubleshoot

Troubleshoot the Splunk Add-on for F5 BIG-IP

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

“Destination unreachable” errors

Check that you have opened port 443 or whichever f5 server port you’re using in your firewall to enable the communication between F5 BIG IP server and Add-on via the iControl API over SSL.

422 Unprocessible Entity errors

In the Input configuration page, make sure the “Splunk Host” field does not contain “https://” as it will result in this error. Splunk telemetry package automatically handles the protocol.

Errors

You can find most of the runtime errors for the Splunk Add-on for F5 BIG-IP in the $SPLUNK_HOME/var/log/splunk/Splunk_TA_f5_bigip_main.log file or respective input’s log file at $SPLUNK_HOME/var/log/splunk/splunk_ta_f5_bigip_input-<input_name>.log. You can find other errors in the $SPLUNK_HOME/var/log/splunk/splunkd.log file. The Splunk Add-on for F5 BigIP uses a checkpoint to store the parameters with which the API Call is done. You must enable the KVStore while performing the data collection.

Change the logging level

You can change the logging level for this add-on by navigating to Configuration > Logging. The default logging level for the add-on is INFO. You need to re-enable the input to reflect the changes made to the log level.

F5 BIG-IP Telemetry Streaming General Troubleshooting Tips

By default, BIG-IP Telemetry Streaming logs to restnoded.log (stored on the BIG-IP at /var/log/restnoded/restnoded.log), at the info level. At the info log level, you can see any errors that BIG-IP Telemetry Streaming encounters. The consumers within BIG-IP Telemetry Streaming also log an error if they are not able to connect to the external system.

Known Limitations

The Splunk Add-on for F5 BIG-IP version 6.10.0 collects the data using Telemetry Streaming from F5 Servers. F5 Telemetry Streaming does not support multiple API calls at the same time. When more than one API call is sent to the Telemetry Endpoint, it returns a “503: Service Unavailable Error”. Because of this limitation, note the following when performing the data collection using modinput:

• The user must include all the templates for a particular server in a single input, for which they want to perform the data collection.
• When the user tries to disable/delete the input, the API calls will be made to the Telemetry endpoint so that F5 Server will stop sending the data to the Splunk platform. Because of this, it may take some time to disable/delete the input.
• In that situation, when some of the API calls fail to execute, during the next invocation, the API calls will be made to the Telemetry Endpoint to stop the data collection. After all the API calls are successful, a log will be generated in the $SPLUNK_HOME/var/log/splunk/splunk_ta_f5_bigip_input-<input_name>.log file saying Data Collection is complete for the disabled API Calls. After that, user can enable the input again to perform the data collection. During that time, the input state will display as enabled in the UI.
• When the data collection is in progress, if the user tries to edit/disable/delete the input, an error message communicates that Data Collection is in progress. You can check again after some time.

F5 Telemetry Streaming frequently sends certain internal auditing events, for example:

{"telemetryServiceInfo":{"pollingInterval":300,"cycleStart":"2022-02-18T08:59:38.388Z","cycleEnd":"2022-02-18T08:59:39.300Z"},"telemetryEventCategory":"systemInfo"}

Ended: Troubleshoot

Release Notes

Release notes for the Splunk Add-on for F5 BIG-IP

Version 6.4.0 of the Splunk Add-on for F5 BIG-IP was released on Nov 28, 2024.

Compatibility

Version 6.4.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.0.x, 9.1.x, 9.2.x
CIM	5.2.0
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Introduced “allowSelfSignedCert” param for handling SSL in Telemetry Streaming.
• Enhanced key, value pair extraction for sourcetype f5:bigip:ltm:http:irule

Fixed issues

Version 6.4.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.4.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Release history for the Splunk Add-on for F5 BIG-IP

Latest release

The latest release of the Splunk Add-on for F5 BIG-IP is version 6.4.0. See Release notes for the Splunk Add-on for F5 Big-IP for the release notes of this latest version.

Version 6.3.0

Version 6.3.0 of the Splunk Add-on for F5 BIG-IP was released on September 3, 2024.

Compatibility

Version 6.3.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.0.x, 9.1.x
CIM	5.2.0
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Fixed the security vulnerabilities found in the urllib3, certifi, and idna library by upgrading the version from 1.26.18 to 1.26.19 2024.2.2 to 2024.7.4 and 3.6 to 3.7 respectively
• Support of IPv6. Splunk Add-on for F5 BIG-IP v6.3.0 is now compatible with Splunk running on the IPv6 environment

Fixed issues

Version 6.3.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.3.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Version 6.2.1

Version 6.2.1 of the Splunk Add-on for F5 BIG-IP was released on December 12, 2023.

Compatibility

Version 6.2.1 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM	5.2.0
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Fixed the security vulnerabilities found in the urllib3 library by upgrading the version from 1.26.13 to 1.26.18.
• Fixed an issue in updating the running inputs that were not modifiable by users post-Splunk restart.

Fixed issues

Version 6.2.1 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.2.1 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Version 6.2.0

Version 6.2.0 of the Splunk Add-on for F5 BIG-IP was released on September 28, 2023.

Compatibility

Version 6.2.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM	5.2.0
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Added support of the F5 BIG-IP product v17.1.0
• CIM field enhancements for these sourcetypes:
  • f5:bigip:syslog - “Connection error” related events having source and destination address are mapped with Network Traffic CIM data model
  • f5:bigip:apm:syslog - “Assigned PPP”, “allow ACL”, “reject ACL” type of events are mapped to Network Traffic CIM data model
  • f5:bigip:apm:syslog - “New session from client IP” type of events are mapped to Network Session CIM data model
  • f5:bigip:gtm:dns:request:irule - events falling under this sourcetypes are mapped with Network Resolution DNS CIM data model
  • f5:bigip:ltm:ssl:error - “SSL Handshake Failed” type of events will be mapped under this sourcetype instead of f5:bigip:syslog and it will be mapped to Network Traffic CIM data model
• Logger enhancements - There will be a separate log file for each of the inputs configured in the add-on and the naming convention will be splunk_ta_f5_bigip_input-<input_name>.log

It is recommended that the user first disables all the inputs, and then upgrades to the latest version of the add-on, so that it does not lead to any discrepancies in the logs of the input

Fixed issues

Version 6.2.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.2.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Version 6.1.1

Version 6.1.1 of the Splunk Add-on for F5 BIG-IP was released on March 6, 2023.

Compatibility

Version 6.1.1 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	5.0.2
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 17.0.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Fixed a security vulnerability found in the certifi library.

Fixed issues

Version 6.1.1 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.1.1 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for F5 BIG-IP was released on Mar 7, 2022.

Compatibility

Version 6.0.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.1.x, 8.2.x
CIM	5.0.0
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 16.1.0 Licensed LTM, DNS (GTM), APM, AFM, and ASM modules.

New Features

• Migrated the data collection from the SOAP API to Telemetry Streaming. Users will have to reconfigure the Accounts, Templates and Inputs to start the data collection using Telemetry Streaming.
• Added support for the AFM module for Telemetry Streaming.
• Added the Intrusion Detection Data Model for ASM module events.
• The events for the f5:bigip:gtm:dns:response:irule source type will be mapped to the Network DNS Resolution Data Model.
• Removed the support for partitions from the Server Configuration.
• The data collected using the SOAP API will be parsable and searchable, but the user will no longer be able to collect the data using the SOAP API.

Upgrade Guide

The Splunk add-on for F5 BigIP version 6.0.0 collects the data using Telemetry Streaming. If you configured any custom template to collect the data from the SOAP API, you will need to locate the REST API replacement for that SOAP API, to perform the data collection using the new version of this add-on. For more information, see Create New Templates.

• You will need to reconfigure the inputs to start the data collection. For more information on creating inputs for this add-on, see Create Inputs.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

Add-on comparison

	Splunk Add-on for F5 BIG-IP 5.1.0	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	8.0+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 6.0.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 6.0.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for F5 BIG-IP third-party software credits

Version 5.1.0

Version 5.1.0 of the Splunk Add-on for F5 BIG-IP was released on July 12, 2021.

Compatibility

Version 5.1.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.18.1
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 15.1.0 Licensed LTM, DNS (GTM), APM, and ASM modules.

New Features

• Fast and intuitive UI with a better look and feel.
• Provides critical security fix by removing jquery2.
• Removal of python2 support. Only python3 is supported from now on.
• Fixed issue where a server error stopped data collection.

Upgrade guide

If you are upgrading from the Splunk Add-on for F5 BIG-IP 2.2.0 or earlier to the Splunk Add-on for F5 BIG-IP 2.3.0 or later, note that version 2.2.0 and earlier collected data from the Common partition only. After you upgrade to version 3.0.0 or later, data is collected by default from all of the partitions on the F5 BIG-IP servers that are configured for data collection. You can change this by editing your existing server configuration on the Manage F5 Servers page (Configuration > Server) and updating the Partitions field. If you want to continue to collect data from only the Common partition, type Common in this field and click Update.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

	Splunk Add-on for F5 BIG-IP 5.1.0	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	8.0+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 5.1.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 5.1.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 5.1.0 of the Splunk Add-on for F5 BIG-IP incorporates the following third-party software or libraries.

• BigSuds
• Future
• suds
• suds_py3
• UCC components

Version 5.0.0

Version 5.0.0 of the Splunk Add-on for F5 BIG-IP was released on March 18, 2021.

Compatibility

Version 5.0.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.3.x, 8.0.x, 8.1.x
CIM	4.18.1
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 15.1.0 Licensed LTM, DNS (GTM), APM, and ASM modules.

New Features

• The UI of the AddOn has been migrated to the UCC framework.
• The user will now be able to configure logging from the UI.
• The passwords, templates, servers and tasks configured by the existing users will be automatically migrated to the latest version of the AddOn.
• The data from the f5_bigip_tasks.conf, f5_bigip_templates.conf and f5_bigip_servers.conf files will be migrated to inputs.conf, f5_templates.conf, f5_servers.conf files respectively.
• For migrating the stanzas from the f5_bigip_tasks.conf, f5_bigip_servers.conf, f5_bigip_templates.conf files, the data in these files will remain intact. The data from these conf files will be migrated to the new conf files and these files will be referred for data collection.
• Support for Destination App for servers, templates, and inputs has been removed from the latest version of the AddOn.
• For each input, separate process will be spawn, hence the CPU Utilization will be improved

Additional Release Notes

• The data collection logs will be logged under Splunk_TA_f5_bigip_main.log file. The user can find the log file under $SPLUNK_HOME$/var/log/splunk
• The logs for the migration scripts like migrate_existing_inputs, migrate_existing_passwords, migrate_existing_templates will be logged under migrate_existing_inputs.log, migrate_existing_passwords.log, migrate_existing_templates.log respectively. The user can find the log files under $SPLUNK_HOME$/var/log/splunk

Upgrade guide

If you are upgrading from the Splunk Add-on for F5 BIG-IP 2.2.0 or earlier to the Splunk Add-on for F5 BIG-IP 2.3.0 or later, note that version 2.2.0 and earlier collected data from the Common partition only. After you upgrade to version 3.0.0 or later, data is collected by default from all of the partitions on the F5 BIG-IP servers that are configured for data collection. You can change this by editing your existing server configuration on the Manage F5 Servers page (Configuration > Server) and updating the Partitions field. If you want to continue to collect data from only the Common partition, type Common in this field and click Update.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

	Splunk Add-on for F5 BIG-IP 5.0.0	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	7.3+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 5.0.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 5.0.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 5.0.0 of the Splunk Add-on for F5 BIG-IP incorporates the following third-party software or libraries.

• BigSuds
• Future
• suds
• suds_py3
• UCC components

Version 4.0.1

Version 4.0.1 of the Splunk Add-on for F5 BIG-IP was released on October 13, 2020.

Compatibility

Version 4.0.1 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.2.x, 7.3.x, 8.0.x
CIM	4.17
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 15.1.0 Licensed LTM, DNS (GTM), APM, and ASM modules.

New Features

• Migrated for the new data collection mechanism for Telemetry streaming available for F5 BIG-IP version 13.1 and later.
• Added support for the new AVR event type.
• Improved support for Splunk Connect for Syslog.

Upgrade guide

If you are upgrading from the Splunk Add-on for F5 BIG-IP 2.2.0 or earlier to the Splunk Add-on for F5 BIG-IP 2.3.0 or later, note that version 2.2.0 and earlier collected data from the Common partition only. After you upgrade to version 3.0.0 or later, data is collected by default from all of the partitions on the F5 BIG-IP servers that are configured for data collection. You can change this by editing your existing server configuration on the Manage F5 BIG-IP Servers page (Configurations > Servers) and updating the Partitions field. If you want to continue to collect data from only the Common partition, type Common in this field and click Update.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

	Splunk Add-on for F5 BIG-IP 4.0.1	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	7.2+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 4.0.1 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 4.0.1 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 4.0.1 of the Splunk Add-on for F5 BIG-IP incorporates the following third-party software or libraries.

• BigSuds
• Bootstrap
• Bootstrap table
• Future
• jqBootstrapValidation
• jQuery
• suds
• suds_py3

Release notes for the Splunk Add-on for F5 BIG-IP Version 3.1.0

Version 3.1.0 of the Splunk Add-on for F5 BIG-IP was released on April 16, 2020.

Compatibility

Version 3.1.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.2.x, 7.3.x, 8.0.x
CIM	4.15
Platforms	Platform independent
Vendor Products	F5 BIG-IP F5 BIG-IP 11.6.5 - 15.1.0 Licensed LTM, DNS (GTM), APM, and ASM modules.

New Features

• Support for Python 3 by default
• FIPS Certification
• Support through v15.1.0 of F5 BIG-IP

Upgrade guide

If you are upgrading from the Splunk Add-on for F5 BIG-IP 2.2.0 or earlier to the Splunk Add-on for F5 BIG-IP 2.3.0 or later, note that version 2.2.0 and earlier collected data from the Common partition only. After you upgrade to version 3.0.0 or later, data is collected by default from all of the partitions on the F5 BIG-IP servers that are configured for data collection. You can change this by editing your existing server configuration on the Manage F5 BIG-IP Servers page (Configurations > Servers) and updating the Partitions field. If you want to continue to collect data from only the Common partition, type Common in this field and click Update.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

	Splunk Add-on for F5 BIG-IP 3.1.0	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	7.2+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 3.1.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 3.1.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for F5 BIG-IP incorporates the following third-party software or libraries.

• BigSuds
• Bootstrap
• Bootstrap table
• Future
• jqBootstrapValidation
• jQuery
• suds
• suds_py3

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for F5 BIG-IP was released on October 21, 2019.

Compatibility

Version 3.0.0 of the Splunk Add-on for F5 BIG-IP is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.12
Platforms	Platform independent
Vendor Products	F5 BIG-IP 10.1 - 12.X. Licensed LTM, DNS (GTM), APM, and ASM modules.

Versions 2.7.0 and earlier of the Splunk Add-on for F5 BIG-IP are incompatible with versions 8.0 and later of the Splunk platform.

Upgrade guide

If you are upgrading from the Splunk Add-on for F5 BIG-IP 2.2.0 or earlier to the Splunk Add-on for F5 BIG-IP 2.3.0 or later, note that version 2.2.0 and earlier collected data from the Common partition only. After you upgrade to version 3.0.0, by default data will be collected from all of the partitions on the F5 BIG-IP servers that are configured for data collection. You can change this by editing your existing server configuration on the Manage F5 BIG-IP Servers page (Configurations > Servers) and updating the Partitions field. If you want to continue to collect data from only the Common partition, type Common in this field and click Update.

Migration from other add-ons

There is no migration path for the other add-ons on Splunkbase to the Splunk Add-on for F5 BIG-IP.

• Splunk for F5 Networks
• Splunk for F5 Security
• Splunk for F5 Access

The Splunk Add-on for F5 BIG-IP is a Splunk supported add-on for the LTM, GTM, APM, and ASM BIG-IP modules. It does not replace existing add-ons on Splunkbase that collect data from F5 devices.

You can install the Splunk Add-on for F5 BIG-IP into an existing Splunk platform deployment that has the other add-ons installed, as long as the add-ons do not share the same port or source types.

	Splunk Add-on for F5 BIG-IP 3.0.0	Splunk for F5 Access	Splunk for F5 Networks	Splunk for F5 Security
Sourcetype	See the source types topic for a full list	syslog	No default source type	No default source type
Domain	LTM, GTM, APM, ASM	APM, FirePass	LTM, AFM	ASM, APM
Port	9514/9515	514	No default port	No default port
Splunk platform version	6.5+	4.0 to 6.0	4.0 to 6.0	4.0 to 6.0

Fixed issues

Version 3.0.0 of the Splunk Add-on for F5 BIG-IP has the following fixed issues:

Known issues

Version 3.0.0 of the Splunk Add-on for F5 BIG-IP has the following reported known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for F5 BIG-IP incorporates the following third-party software or libraries.

• BigSuds
• Bootstrap
• Bootstrap table
• Future
• jqBootstrapValidation
• jQuery
• suds
• suds_py3

Ended: Release Notes