Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

F5 Analytics iApp

Problem this snippet solves:

Analytics iApp v3.7.0

You can use this fully supported version of the analytics iApp template to marshal statistical and logging data from the BIG-IP system. The iApp takes this data and formats it as a JSON object which is then exported for consumption by data consumers, such as F5 BIG-IQ or applications such as Splunk.

The Analytics iApp allows you to configure several categories of data to be exported. For data consumers like Splunk, the iApp lets you configure the network endpoint to which the data is sent.

Version 3.7.0 of the iApp template is fully supported by F5 and available on downloads.f5.com. We recommend all users upgrade to this version. For more information, see https://support.f5.com/csp/article/K07859431.

While this version of the iApp is nearly identical to the v3.6.13 which was available on this page, the major difference (other than being fully supported) is that ability to gather APM statistics using the iApp has been removed from BIG-IP versions prior to 12.0.

Supported/Tested BIG-IP versions: 11.4.0 - 12.1.2.

Data Sources: LTM, GTM, AFM, ASM, APM, SWG, and iHealth (APM statistics require 12.0 or later)

Data Output Formats: Splunk, F5 Analytics, F5 Risk Engine

Splunk App: https://apps.splunk.com/apps/id/f5

The new deployment guide can be found on F5.com: http://f5.com/pdf/deployment-guides/f5-analytics-dg.pdf

Image Text Image Text Image Text Image Text Image Text Image Text

Comments on this Snippet
Comment made 19-May-2016 by Shingo 2
Thank you Analytics iApp. I tried iApp. can not see Analytics. [Error in 'TsidxStats': WHERE clause is not an exact query] Do you know a cause?
2
Comment made 20-May-2016 by Ken Bocchino
@Shingo Yamada can you provide more details on the dashboard and panel displaying this message? I have found that if you're looking at the dashboards immediately after installation of the app you may see some delays and or errors b/c the data models are just starting to be built. You can see the status of the data models under Settings->Data Models and by clicking on the left > to see build status. Also verify you are receiving data into Splunk "index=* source=bigip.* | stats count by index sourcetype source" If you're still having issues feel free to reach out to me via email at KB@F5.com
1
Comment made 07-Jun-2016 by Shingo 2
Thank you for your help!!. 「index=* source=bigip.*」 Success !!
0
Comment made 27-Jul-2016 by Agung D S P 0

Hello Ken,

Could you please gave me the link to download the analytics template?? i mean .tmpl file

0
Comment made 04-Aug-2016 by Hung Pham 0

Hi Ken,

Can you give me the analytics template file

Thanks

0
Comment made 14-Sep-2016 by richard.polyak@nbcuni.com 18

Has anybody run into issues running this?

0
Comment made 21-Sep-2016 by Tushar_K 3

Can you give me the analytics template file

0
Comment made 06-Oct-2016 by AL 0

Can I get a link to download the iapp?

0
Comment made 17-Oct-2016 by tom6507 0

Hi Ken,

Can you give me the analytics template file

Thanks

0
Comment made 04-Nov-2016 by jonathan@clearshark.com 62

Tried deploying the iAPP and received the following error

script did not successfully complete: (script did not successfully complete: ("global-settings" unexpected argument while executing "tmsh::modify [string range $args 7 end] " ("modify" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp::conf" line 14) invoked from within "iapp::conf modify analytics global-settings avrd-interval 300" invoked from within "if {$::basic__format != "F5 Risk Engine" && $::basic__format != "F5 BIG-IQ" && $::basic__logging == "Yes"} { set deviceinfo "non exist" catch {se..." line:5073) while executing "exec /usr/bin/tmsh -c $command" (procedure "tmsh_exe" line 4) invoked from within "tmsh_exe "create sys application service /Common/${::app}-local { template f5.analytics traffic-group traffic-group-local-only variables replace-all-..." invoked from within "if { $createiapp == "Yes" } {

set existing_iapp "non exist" catch {set existing_iapp [tmsh::get_config sys application service /Common/${::app}-..." line:5052)

Anybody else running into this?

0
Comment made 11-Nov-2016 by Philip Lim 1

Nice screenshots. I see the latest version on the Splunk apps page is Version: 0.9.11. Anyone know if this can be done in Splunk Light or download?

0
Comment made 14-Nov-2016 by Hyder 248

Hi,

Thanks for this excellent iApp. Unfortunately, cannot find the link for the template. Could you please advise what the link will be for the version of 11.6.0?

Cheers.

Best regards

Hyder

0
Comment made 07-Dec-2016 by richard.polyak@nbcuni.com 18

Hi Ken,

Question will this iApp work on a GTM provisioned device only? Also could you provide me the latest version of the iApp.

Thx -Rich

0
Comment made 08-Dec-2016 by Ken Bocchino

@Richard, yes this will with a GTM only device.

0
Comment made 19-Dec-2016 by Raul Camacho 0

Getting the following error when trying to import the iApp (f5.analytics-nosessiondump.tmpl):

Loading configuration... /tmp/upload_template.tmpl 01070712:3: Caught configuration exception (0), ERROR app_template - /Common/f5.analytics definition: line 236 [Proc not found] [tmsh::run_proc f5.app_utils:get_bigip_version_is_equal_or_later 13.0.0] line 340 [use curly braces to avoid double substitution] [($start_hour] line 341 [use curly braces to avoid double substitution] [($end_hour] line 343 [use curly braces to avoid double substitution] [$end_minute] line 351 [use curly braces to avoid double substitution] [$start_random] line 355 [use curly braces to avoid double substitution] [round("00.[lindex $start_random 1]"] line 423 ["\s" has no meaning. Did you mean "\s" or "s"?] [{.Version\s(\S)\s}] line 423 ["\S" has no meaning. Did you mean "\S" or "S"?] [{.Version\s(\S)\s}] line 423 ["\s" has no meaning. Did you mean "\s" or "s"?] [{.Version\s(\S)\s}] line 4366 [use curly braces to avoid double substitution] [$nonpriority] line 4369 [use curly braces to avoid double substitution] [$nonpriority] line 4420 [undefined procedure: iapp::c Unexpected Error: Loading configuration process failed.

Running BIGIP version 11.x, no APM.

The readme text file states the following. Should I be importing the "nosession" template or the other?

• If you’re not using APM -> f5.analytics-nosessiondump.tmpl • If you’re running APM with 12.x ->f5.analytics-nosessiondump.tmpl • If you’re running APM with version 11.x -> `f5.analytics.tmpl

0
Comment made 19-Dec-2016 by Ken Bocchino

@Raul Camacho What version of 11 are you running? 11.4.0-11.6.1?

0
Comment made 19-Dec-2016 by Raul Camacho 0

I think that may be the problem. We are on 11.1. Will be upgrading to 12.1 very soon. I will try this install again at that time.

0
Comment made 19-Dec-2016 by Ken Bocchino

Yep, that would be the case, the iApp works with versions 11.4.0 and higher.

0
Comment made 21-Dec-2016 by adamp 77

great iapp however it spams the \var\log\ltm with debug logs,(stats ....) what's the best way to disable the debug notice?

0
Comment made 21-Dec-2016 by Ken Bocchino

@adamp this can be disabled: Do you want to display advanced options? "Yes"; Information Sources -> Log Stats Responses "No"

0
Comment made 21-Dec-2016 by adamp 77

great thanks alot

0
Comment made 11-Jan-2017 by Neil David Harries 0

Hi Iam using 12.1.1 with APM and using template nosession_dump. The app will be potentially very useful, however all my app have a health index 0.0 which is not correct. Please see attachedImage Text image

I have configured one map entry for simplicity using the Virtual Name and regex \/Common\/(.*)

Also there are no APM statistics at all

Any advice greatly appreciated

0
Comment made 11-Jan-2017 by Ken Bocchino

How long has the BIG-IP been sending data to Splunk? The health calculation is calculated over a period of 24 hours. Further you can go into the application drill down for a specific application to understand the low health score, further still you can view a user defined time period of health by viewing the application health under the admin health page.

0
Comment made 11-Jan-2017 by Neil David Harries 0

Thanks for the quick response, I will wait for a full 24hrs. Will APM session information be available soon?

0
Comment made 11-Jan-2017 by Ken Bocchino

If you have APM sessions on the device you should be seeing that data now, index=* source=bigip.sessiondb

0
Comment made 11-Jan-2017 by Neil David Harries 0

I do not have that source, is this a configuration problem? As mentioned above I used f5.analytics-nosessiondump.tmpl.

I configured the Push SessionDB stats (APM) to yes

0
Comment made 11-Jan-2017 by Ken Bocchino

You have it configured correctly, will verify 12.1.1 APM session status in our lab.

0
Comment made 13-Jan-2017 by richard.polyak@nbcuni.com 18

Keith,

Great work on this iApp / Splunk app. I am testing this on about 10 pairs. about half I in splunk the are all the Virtual Servers are reporting up as a health of 0.00. What I am seeing in the F5 logs is the below response

debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313060 1 400 debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313120 0 400 debug scriptd[22114]: 01420004:7: Stats Response for vs_analytics 1484313120 1 400

What should I be looking for to resolve this and return a 200?

Thx Rich

0
Comment made 13-Jan-2017 by Ken Bocchino

do you have any ' [ ] etc in virtual descriptions? also try turning off search inside irules within the application mapping section.

0
Comment made 13-Jan-2017 by richard.polyak@nbcuni.com 18

Keith so I did some testing today, and luckily I have a lightly used LB pair to work with.

This LB has only 8 Virtual Servers with no special charters in the names or anything in the descriptions. Neither on the pools or nodes. Nodes are named via the IP. We are running 11.5.4 HF2.

If I disable push configuration map then I receive a 200.

This is the format for my Virtual Servers vs_fqdn_port, as an example vs_www.f5.com_80

I went through all my profiles and I do not see anything out of the norm.

Thx Rich

0
Comment made 13-Jan-2017 by Ken Bocchino

Have you attempted to set search iRules = No under the Application Mapping Section?

What does your app mapping section look like, can you send me your mapping export string?

0
Comment made 13-Jan-2017 by richard.polyak@nbcuni.com 18

Yes I did try that with no luck.

Below is my mapping

ltm data-group internal vs_analytics-send_stats { app-service /Common/vs_analytics.app/vs_analytics records { application_mapping { data "{10000000000} {App Name~virtual_name~(.*)~Map~~} " } avr_commands {

or mapping export string: ezEwMDAwMDAwMDAwfSB7QXBwIE5hbWV+dmlydHVhbF9uYW1lfiguKil+TWFwfn59IAo=

And I tried removing the (.*) as well.

0
Comment made 14-Jan-2017 by Ken Bocchino

@richard, in working in PM, looks like you needed to add the correct indexes when using the RBAC options. The splunk server was rejecting some of the tenant mapped index names.

0
Comment made 09-Feb-2017 by Stephen Mathezer 0

I am seeing the following message repeated in /var/log/ltm:

debug scriptd[32475]: 01420004:7: Stats Response for analytics 1486699800 1 fail

(sometimes it is "0 fail", sometimes "1 fail")

Also, /tmp is filling up with sesslist-* files and I am not seeing anything other than vanilla syslog on the Splunk side. Any suggestions for where to start troubleshooting?

Running 11.5.3 HF2 with APM and using f5.analytics.tmpl

thanks

0
Comment made 18-Feb-2017 by VolvoT 0

Hi,

We're also seeing similar logs in the /var/log/ltm. What could be the reason for failure ?

Thanks

0
Comment made 21-Feb-2017 by Ken Bocchino

There are several reasons you could be receiving the "fail" response. this message occurs when the stats send process is unable to get a clean response from the Splunk HEC endpoint. It could be as simple as a connectivity issue to the Splunk server, check to see if you can curl to the server curl -k https://. Verify your protocol type HTTP vs HTTPS. If that is good ensure that the indexes you are using align, i.e. if you're using RBAC a missing index could be the cause. You can also get more details viewing /shared/tmp/"iappname"-stats_output_0 to view the response from the Splunk server.

0
Comment made 23-Feb-2017 by VolvoT 0

Thanks for the reply. It was simple firewall issue.. F5 was unable to make a connection with the Splunk on 8088 port. Issue resolved...

0
Comment made 28-Feb-2017 by whootang 129

Does anyone know if you can get this and the F5 App working on the free Splunk trial? i am trying to demo this to management before they sink the big coin for the cloud splunk instance.

Cheers R

0
Comment made 28-Feb-2017 by Walter Kacynski 973

Yes, I had it running on an Eval copy of Splunk.

0
Comment made 28-Feb-2017 by Shayza 0

Hello,

I installed f5.analytics-nosessiondump.tmpl on my i5600, all configuration looks OK. I didn't find any error and in tcpdump I can see that the relevant syslog packets are sending.

The main problem is that I cannot see any relevant information about the i5600 (nothing).

I tried to work with asterisks on the regex, I thought that I may see something, but still, everything is blank. I may concern that it because that I'm working with partitions and the iApp was installed on Common.

someone had the change to make F5/Splunk integration with different partitions ?

Thanks, S

0
Comment made 28-Feb-2017 by Ken Bocchino

Multiple partitions works without issue, the iApp is installed into common. Are you getting 200 OK status from the stats response? Are you seeing any device info in the device dashboard? can you do a index=* | stats count by host source sourcetype index?

0
Comment made 28-Feb-2017 by Shayza 0

Hi, I'm getting the following event, Log Level:notice Service: scriptd[20602] Status Code: 01420004 Event: Stats Response for SPLUNK 1488265770 0 400

I cannot see any device info in the dashboard.

Regarding to index=* | stats count by host source sourcetype index, I executed it. Seems that there is nothing. I do have regular syslog data in a different service (514), when for the dashboard I'm working with 8808.

0
Comment made 28-Feb-2017 by Ken Bocchino

Sounds like an auth issue when sending the data to Splunk, make sure you have setup HEC correctly. Verify the auth token etc.

0
Comment made 28-Feb-2017 by The-messenger 359

Ken, have you considered this iapp for VCMP host reporting?

0
Comment made 28-Feb-2017 by Ken Bocchino

yes this also captures VCMP data, you need to install the iapp on the host system and on the guest systems, you will see guest details within the device cluster drilldown,

0
Comment made 28-Feb-2017 by The-messenger 359

Thanks!

0
Comment made 01-Mar-2017 by Shayza 0

Hi, So it seems that I'm getting 200 OK now and I have some data in Splunk. But, most of the data is still missing and or not current. I'm not sure, but I'm thinking that it's an index issue.

Any idea?

Image Text

0
Comment made 01-Mar-2017 by whootang 129

am i having the same problem above running on v13, i followed the video tut and the pdf, but i assume im missing some fundamental setting but cant find it.

showing stats response from splunk 142340** 0 400 showing stats response from splunk 142340** 1 400

0
Comment made 02-Mar-2017 by Shayza 0

Ryzilla, I followed Ken recommendations. make sure the your HEC setup it right. In my case I was needed changed the auth token.

As I mentioned in my last post, now I have another issue.

Regards,

1
Comment made 02-Mar-2017 by whootang 129

yeah thanks Shayza, which ones are you referring to? yeah my HFC is setup changed the token a few times to make sure and still no luck

0
Comment made 02-Mar-2017 by The-messenger 359

Great iapp!

I removed an older version and configured the latest version. In the ltm logs I now see State response fail messages followed by several /Common/ir-splunk_analytics-hec-forwarder-udp-snmptrap - can't read "msg": no such variable while executing "string trimright $msg ",""

0
Comment made 06-Mar-2017 by Stephen Mathezer 0

So, I was having connectivity issues which have now been resolved, but I am seeing the following error every 5 minutes. The file names rotate between _0, _1 and _2. The thing is, the files are there and world readable. Any idea what could be causing this?

Script (/Common/splunk.analytics-send_stats) generated this Tcl error: (script did not successfully complete: (could not read "/shared/tmp/splunk.analytics-stats_1": no such file or directory while executing "file size "$filename$currentfile"" ("foreach" body line 24) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" #assign tenant, application, and tier

0
Comment made 14-Mar-2017 by mkolozs 10

Great APP! I installed v3.6.13 and Splunk app 1.0.0. Unfortunately, I only see partial data for Device Status dashboard. Missing fields are version, build, serial, platform. Any suggestion how to fix this? Other data are there in index=f5-default source = bigip.tmsh.system_status sourcetype = f5:bigip:status:iapp:json

Appreciate in advance.

0
Comment made 15-Mar-2017 by jonathan@clearshark.com 62

Great app! Alot of potential for being the best ADC visibility app out there on splunk.

One thing I'm having issues with and I think its how the search was constructed is the Application Drill down dashboard, SSL Certificates panel. I can only return the latest certificate object, ssl profile that has been reported to splunk. The search is as follows

| tstats latest(all.cert_name), latest(all.cert_expiration_date), latest(all.cert_expiration_date_human),latest(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename latest(all.) AS * all. AS * | join host cert_name [| tstats latest(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * all. AS ] | join host profile_name [| tstats values(all.app), latest(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app
| search tenant=tenant_a app=mail.clearshark.net | rename cert_expiration_date_human AS expires | eval days_remaining=round((cert_expiration_date-now())/(3600
24),0) | sort days_remaining | table facility,devicegroup,cert_name,CN,expires,days_remaining

All of my cert objects, ssl profile objects and virtual profile objects are being reported correctly into splunk. It seems this search though only returns the latest (hence the latest command) ssl cert object and joins all post objects in the search. It then searches for the requested app. Unfortunately, if the app isn't associated with this ssl profile, you do not get any results. I think instead of latest, values should be used with the mvexpand command. I've replaced the search with this

| tstats values(all.cert_name), values(all.cert_expiration_date), values(all.cert_expiration_date_human),values(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename values(all.) AS * all. AS * | mvexpand cert_name | join host cert_name [| tstats values(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * all. AS ] | mvexpand profile_name | join host profile_name [| tstats values(all.app), values(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app
| search tenant=tenant_a app=mail.clearshark.net | rename cert_expiration_date_human AS expires | eval days_remaining=round((cert_expiration_date-now())/(3600
24),0) | sort days_remaining | table facility,devicegroup,cert_name,profile_name

The only thing I'm working on now is how to properly bring in the cn and expiration date. Anytime I expand those out, I get 100s of results. Any suggestions would be great!

0
Comment made 15-Mar-2017 by Jessicachi 0

Hello Ken,

Thank you so much for creating such a wonderful iAPP and splunk app. I would like to find out how I can turn off syslog information from being sent to splunk since it is consuming a lot of splunk data and we already have a separate syslog server. I tried to turn off the syslog feature from the iApp but it's telling that i can not perform the action because the vs/irule is being used. I also tried to disable the splunk-hec-syslog virtual server but that just prevent the F5 from sending any data to splunk. Do you think it's better to blacklist syslog information on splunk side? my 2nd question is regarding the healthscore calculation. I found that the caculation uses values such as app_device_uptime_health=1/0 but i could not figure out how you arrived at those values. could you please explain the process? thank you in advance!

0
Comment made 16-Mar-2017 by The-messenger 359

Ken, thanks again for this iapp, very good! If installing on a VCMP host, that host will need a Self-IP configured, correct?

0
Comment made 27-Mar-2017 by jonathan@clearshark.com 62

Has anyone else ran into these errors?

message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Its affecting my KPI generation. Wanted to see if anyone else is having this issue.

0
Comment made 28-Mar-2017 by Shayza 0

Hi,

Any one may notice a bug when enabling "Role Based Access Controls"? Every time that I'm enabling it the LTM is losing the connection to Splunk (status 400), after disabling it the LTM seceded to establish the connection.

0
Comment made 28-Mar-2017 by jonathan@clearshark.com 62

Figured out my issue

message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" application F5_KPI_Result=ERROR: [spl2.domain.net] Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.

Resource constraint from the CPU side of the house. datamodel summary searches were timing out because we didn't have enough cores allocated for the indexers.

Cheers!

0
Comment made 29-Mar-2017 by mwsmith87 2

I am having issues with missing data anytime I look through any of the various dashboards or search for data. It says that there are duplicate tenant values causing a conflict. Anyone have any idea what should be done to correct that?

Image Text

0
Comment made 04-Apr-2017 by Ken Bocchino

Sorry for the late reply to some of these questions, from the bottom up:

Duplicate values causing conflict: This will not break anything but is related to the fact that all of your mapped applications have a tenant set to "" (blank) which is a static value in the dropdown labeled "Unknown". To correct this ensure you're mapping to some tenant value, you can do this by setting the default tenant within the iApp deployment.

RBAC & 400 messages: When RBAC is used we using the mapping of the tenant + the configured prefixes etc within the RBAC section of the iApp to set the index when sending data to the Splunk HEC. Note, if the indexes are not defined within Splunk or the HEC Token is not allowed to write to those indexes then Splunk will respond with 400 not authorized.

vCMP host requirements: stats are sent via the management port by default. event messages are transformed within TMM and sent via a self-IP. So without a Self-IP you will only get statistics of the vCMP host system.

Latest Cert: wil get back to you on this one

Missing version info: would suggest loading the support 3.7.0 version and opening a bug if it persists.

File Error: have seen this when there are connectivity issues / timeouts when communicating to the splunk server.

0
Comment made 09-Apr-2017 by richard.polyak@nbcuni.com 18

Ken,

I know this is released to supported iapps, but I have installed 3.7.0 and I overwrite as recommended, but I am now getting a fail message. I can switch back to 3.16.13 without issue and all will work fine. Any differences in Splunk app that I have to address going to 3.7.0?

Thx

0
Comment made 10-Apr-2017 by juan 176

Hello. If I try to create an Application using that template I get this error: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message. We've got licensed as Nominal: DNS, AVR and LTM on virtual device running 12.1.1 version. Thank you!.

0
Comment made 12-Apr-2017 by Benoit C. 235

hello,

thanks for the iApp. I'm trying to install it and integrate F5 with Splunk but I get the following error message: Loading configuration... /tmp/upload_template.tmpl Syntax Error:(/tmp/upload_template.tmpl at line: 1) "PK" unexpected argument

Is there any restriction on the TMOS version (I'm running 12.1.0) or the versions (virtual, LTM only, GBB licenses) ?

Thanks in advance


Benoit

0
Comment made 12-Apr-2017 by M Quevedo

Hi Benoit, you must unzip an iApp template before you upload it (that is, you can only import an uncompressed file like f5.analytics.v3.7.0.tmpl not a ZIP file like iapps-1.0.0.444.0-1.zip).

0
Comment made 12-Apr-2017 by M Quevedo

Hi Juan,

Your BIG-IP configuration probably has a very large number of some LTM objects such as pool members which the iApp is trying to display in a single huge list, therefore hitting f5 issue ID435592 which yields that "16908375, 01020057:3:" error.

F5 may be able to adjust the iApp to avoid hitting that problem. Please open a Support case with f5 and tell Support you are having trouble with the Analytics iApp v3.7.0. Support will request a qkview file and the information in it will help us analyze your difficulty.

0
Comment made 12-Apr-2017 by M Quevedo

Hi richard.polyak,

Please open a Support case with f5 and indicate that you are having trouble with the Analytics iApp v3.7.0.

Without knowing what sort of error message you're seeing and without any other context it is difficult to give you specific advice here.

0
Comment made 13-Apr-2017 by Benoit C. 235

Hi,

indeed I found the way to import it in the meantime, I went too fast in posting, I had in mind that we have to do a bulk import.

thanks for the reply!

Br,


Benoit

0
Comment made 17-Apr-2017 by prakash321 0

Have installed f5-Networks analytics splunk app recently,

The Device Dashboard always show- Sync Status/ Sync Summary - Changes pending We have 2-f5-bigip devices in a group we created, one should show changes-pending and other should not as expected...

This is our workflow..... F5(iApp)------>Splunk HF(HEC)-------->Indexer--------->SH

Do we need to look at the iAPP f5-configuration or any Splunk configs to make sure the data in real time....??

0
Comment made 19-May-2017 by DRJ 68

Has anyone had an issue with this causing scriptd to crash/core when trying to reconfigure or re-install on 12.1.2 HF1? This iApp was working for a few weeks, we've updated to HF1 and it has now failed on 4 out of 5 boxes, though to be fair it hadn't been reconfigured for a while so MIGHT not be related to HF1. Failure is much like this https://support.f5.com/csp/article/K14959

0
Comment made 19-May-2017 by M Quevedo

DRJ-- Please open an case with F5 Support to report your issue. A qkview files before and after the scriptd crash will help us diagnose and correct the problem.

0
Comment made 20-May-2017 by Willbaclimon 0

Does anyone have a link or can suggest a recommend Regex for Application Mapping? Essentially I would like to group VIPS together as a common application name.

For Example

1.VIP App1 VIP 1 and 2 are named Master App 2.VIP App1

3.VIP App2 VIP 3 and 4 are named Minor App 4.Vip App2

0
Comment made 22-May-2017 by Walter Kacynski 973

How does this app compliment the Splunk built version at http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/About? What data overlaps, and if so, can I remove this duplication?

0
Comment made 26-May-2017 by csiggy 0

Hello,

I followed the steps in both the guide and offered video--great btw; but Splunk will not show any data on the Application tab, nothing at all from LTM. AFM (Network Firewall) sections produce data and so do the Administration -> Device Health etc. User Access tab provides nothing as well.

Please advise, if possible.

Thank you.

0
Comment made 29-May-2017 by ST Wong 261

Hello,

We followed steps in the guide and deploying v3.7.0 with Splunk 6.5.3. There is no event sent to Splunk. Seems the SSL handshake can't complete due to unknown CA error. See following in Splunk about complaint from LTM with v3.7.0 deployed:

error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

As we're using default server certs on Splunk, can we add the cert to trust CA list on LTM and how? Thanks a lot.

Regards

0
Comment made 28-Jun-2017 by ramig 3

I'm using latest version (3.7.0) with APM running on 12.0+, the main issue is the session dump files filling the /shared partition with f5-analytics-sessdata-* .

Any suggestions there ?

0
Comment made 28-Jun-2017 by M Quevedo

Hi ramig, f5 is tracking this issue as ID664360. Look for a fix in the next release of the iApp template.

0
Comment made 28-Jun-2017 by Walter Kacynski 973

Since bugids aren't public... Is ID664360 mitigated or fixed by 12.1.2?

0
Comment made 28-Jun-2017 by M Quevedo

Hi Walter, bug ID's do appear in TMOS release notes. However, that's not what you asked exactly-- this particular issue will be fixed in the next release of the Analytics iApp template. That is not tied to a specific version of TMOS, so it doesn't have anything directly to do with TMOS v12.1.2.

0
Comment made 06-Jul-2017 by prakash321 0

I am getting this Error in timechart command, when i launch the Device Cluster Drilldown dashboard...

Image Text

0
Comment made 06-Jul-2017 by Ken Bocchino

did you just start sending data, try setting the time window to 60 minutes.

0
Comment made 06-Jul-2017 by Walter Kacynski 973

Can someone help me understand the relationship with this iApp and BIG-IQ DCD under version 5.2?

0
Comment made 06-Jul-2017 by prakash321 0

@Ken Bocchino: I have been ingesting the data for a while, it worked when i set the time to last 60min and go back to last 24hrs. I do see some warns under Administration---->Application Health Image Text

0
Comment made 06-Jul-2017 by M Quevedo

The BIG-IQ 5.2 device may use this iApp in a special -- not user-interactive -- mode when BIG-IQ manages a BIG-IP device.

0
Comment made 06-Jul-2017 by Walter Kacynski 973

That confuses be especially when in BIG-IQ you check the box for stats collection and it automatically deploys a special version of this iApp. It seems like this would cause a version conflict at some point. I have both BIG-IQ 5.2 and Splunk, I don't know which one I should be using for stats data.

0
Comment made 11-Jul-2017 by Tom_K 77

Hello - I have the f5.analytics.v3.7.0 iApp installed on a bunch of viprion vcmp guests and sending logs to splunk but do not understand how to install the iApp on the vcmp host. My host does not have an iApp object to select from on the gui management screen. Do you install the iApp from the command line or where do I find the iAPP object on my management screen. Also I do not have any self ip's configured on the vcmp host. What must I do to configure a self IP on the host to use the f5.analytics.v3.7.0 iApp ?

0
Comment made 12-Jul-2017 by M Quevedo

Hi Tom_K. You cannot install the iApp v3.7.0 on the vCMP host.

0
Comment made 20-Jul-2017 by Nick.Palmer.f5 159

Hi Ken and M Quevedo,

Could you please give more technical insight about how BIG-IQ uses this iApp in a special not user-interactive mode? Can BIG-IQ provide VIP stats and display charts based on the iApp collected info? How should BIG-IQ be setup to work with the iApp? Thanks!

Our BIG-IQ is 4.5.0 and our BIG-IP is 11.6.1 and 12.1.2.

0
Comment made 25-Aug-2017 by jonathan@clearshark.com 62

Hey Ken and Quevedo

Been loving the app and think it has HUGE potential. I am actually demo'ing this at a tech talk next week and have been having an issue if you guys have any suggestions

In device dashboard, anytime I expand a specific device's resource stats drop down, my memory portion includes all time. All other stats (CPU, Disk, Int) follow the time range specified. I tracked down the javascript file that produces this visual but can't for the life of me figure out why it is stuck to this time frame. I have reinstalled the app on multiple servers. I did upgrade to 3.7 recently, which seems to correlate to the timing of this issue.

See the attached screen shot. Any and all help is greatly appreciated!

Image Text

0
Comment made 03-Sep-2017 by DanRin 1

Hi,

Our splunk license is only for 1GB of traffic a day, I've done some testing of an F5 guest on a Viprion running code version 11.6.1. We seem to be using about 400MB a day just from this one guest, which has almost no traffic traversing it.

When I had all the options for logging enabled I used about 550MB a day. Now I've cut this down to only System statistics being enabled in the iapp and I still use about 400MB a day.

The Viprion Guest currently has very minimal configuration (network config and a single LTM pool that is barely used).

Is this level of data output as expected? I would ideally like to use this iapp on our production Viprion guests however I fear this will push us well over our splunk licensing.

Regards, Dan

0
Comment made 19-Sep-2017 by Aaron 1

Ken, You have done a great job with the Analytics iApp and Splunk. I was wondering if you have done anything with Elastic Search & Kibana and an Analytics iApp

0
Comment made 27-Sep-2017 by Alexei Volkov 15

@Ken,

The iApp looks great, thank you for creating and maintaining it.

I would love to get similar application visibly in our SPLUNK.

Particularly in our installation, there are virtual servers that are reporting to SPLUNK with "NaN" status. I can not identify what could cause that problem.

  1. In summary, in the “Application Dashboard” 42 our about 100 VIPs are reporting with active health status, the rest of the Virtual servers are listed with “NaN” status. I checked the “NaN” servers are actively accessed by the clients and there are no much differences in a general configuration between the VIPs in our environment.

  2. The “Device Dashboard” and “Device Cluster Drilldown” report all Devices statistics for the most part without any issues and that looks great.

  3. In the /var/log/ file of the Loadbalancers I see there are a lot messages such as: AVR-iapp-dev-stats_output_1, 2 ,3 etc.

- For the most part the file formats are listed with success, code 0 reports.

more AVR-iapp-dev-stats_output_1

{"text":"Success","code":0}

  • There are however other files, with the invalid event number contents.

more AVR-iapp-dev-stats_output_49{"text":"Invalid data format","code":6,"invalid-event-number":761}

  1. The iApp is configured with the Regex “(.*)” mappings.

  2. In SPLUNK we set the “Search=syslog_f5”.

I ran out of all the options why the reporting is failing for most of the applications. Any ideas where I need to look at?

Thank you!

0
Comment made 06-Oct-2017 by chandrac 10

Ken,

Thank you very much for taking time to build really cool visualizations and iApp to send the data to Splunk. I went through all the Data Models you created and it is seriously lot of work.

I do have a question, I understand F5 iApp can be configured to send data at 1/5/10/30 minute interval, which is capturing the state of the pool_member at that time. We configured it to send data every 5 minutes. Since F5 Health Checks frequency is every few seconds, we are not able to capture if a pool_member changed it's state one or more times within same 5 minute interval.

Example: pool_member "ABC_LAB_Pool" availablility_state showing 3 "offline" events in last 24 hours, however based on SNMP traps that we received for the same pool_member suggests there were ~50 times pool_member health is changed from online to offline and offline to online within same last 24 hours time window.

SNMP Traps that we are receiving on Pool Member state change:

Oct 6 15:36:35 fa-f5-lab.abc.com fa-f5-lab.abc.com notice mcpd[7502]: 01070727:5: Pool /Common/ABC_LAB_Pool member /Common/abc1:8443 monitor status up. [ /Common/ABC_LAB_Pool: up, /Common/tcp: up ] [ was down for 0hr:0min:2sec ]

Oct 6 15:36:35 fa-f5-lab.abc.com fa-f5-lab.abc.com notice mcpd[8191]: 01070727:5: Pool /Common/ABC_LAB_Pool member member /Common/abc2:8443 monitor status up. [ /Common/ABC_LAB_Pool member: up, /Common/ABC_LAB_Pool member: up, /Common/tcp: up ] [ was down for 0hr:0min:3sec ]

I would like to know how I can capture number of offline/online events within 5 minute interval using F5 Analytics iApp?

Please let me know if you need additional details regarding this question.

Thank you very much for your help, really appreciated your support.

0
Comment made 10-Oct-2017 by Jeff Shuron 0

Ken, per your recommendation above I looked at the output from /shared/tmp/iapp_output_0, and see this: {"text":"Success","code":0}. I also did a curl from the f5 to the Splunk server and connected successfully. I'm still seeing fail messages in the ltm log, and none of the virtual servers or pools are showing in the Splunk dashboard.

This is an awesome app, and I look forward to having it function properly.

Thank you!

UPDATE: Challenge resolved. I had to change from Direct Mapping to just Map and everything is now showing up.

0
Comment made 24-Oct-2017 by The-messenger 359

Running 12.1.1, and the analytics iapp. I continue to get a repeating ltm entry Stats Response for splunk_analytics 1508851786 0 fail Stats Response for splunk_analytics 1508851786 1 fail Stats Response for splunk_analytics 1508851786 2 fail

These 3 repeat with the numeric piece changing.

0
Comment made 12-Feb-2018 by cd-zbc 10

Hi Running 13.1.0.1 and I am not seeing the data in splunk I'm expecting to. I get the following.

lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 0 fail

lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 1 fail

lb-dev17 notice scriptd[21080]: 01420004:5: Stats Response for Splunk 1518456600 2 fail

I have tried to follow this thread to troubleshoot.

Ran a curl command that responded with a web page

Output file in /shared/tmp reports {"text":"Success","code":0}

Not using rbac so using a default index and have verified the API key that is is correct. Not sure what do to next any help is appreciated.

0
Comment made 12-Feb-2018 by cd-zbc 10

Also please let me know if there is a better place to get support on this.

Thank you

0
Comment made 12-Feb-2018 by Walter Kacynski 973

This is fully supported and you can open a case against it.

0
Comment made 19-Mar-2018 by Alan Moen 122

Does anyone have any sizing recommendations for using splunk with F5? I've got the free version of splunk and have overwhelmed it with just my non-prod LTMs (in an active/standby pair) - I've got four more pair and have no idea what I would be looking at as far as storage to request or size of splunk license I'd need. I've contacted splunk for a larger license for a POC but I don't know if the busier LTMs will send more data vs the less-busy LTMs (I presume so) or how much.

I'd like to know what others have experienced here. This looks like an awesome tool but I won't get a blank check for licenses & storage. I have five pair of LTMs (so far) and would like to have at least a month's worth of historical data for trending. At least that's what I think - what's your experience?

0
Comment made 19-Mar-2018 by Walter Kacynski 973

Just my LAB editions produce 1GB of data per day with ZERO application traffic. If you don't use the AVR feature then it depends on the number of virtuals that you have deployed.

0
Comment made 24-Mar-2018 by loremipsum 0

Ken - Great App and even better documentation/information to go along with it. A large joint customers of ours (over 100+ F5 appliances) is very much interested in deploying this app. However, their F5 administration team wants a non-iApp way of creating the underlying framework/template (apologies if my understanding/terminology is off here) necessary to send to data to HEC/Splunk. Its due to some internal policies they have in place where they just can't use anything with iApps as that makes upgrades more difficult? Any pointers you can offer for the same are much appreciated! Thanks

1
Comment made 29-Mar-2018 by DB 56

For those who were receiving the "Stats Response for Splunk xxxxxxxx 0 fail" log messages, I just deployed this iApp today and had the same issue, ran a TCPDUMP to capture the traffic to/from my HEC destination and found the F5 was sending the requests out but getting nothing back, determined from the TCPDUMP that the source address indicated the data was going out the wrong interface, and had to add a route (old traditional LTM Network/Route) to point to my HEC instance out the right interface. That solved this problem for me.

Got the data populating just fine to Splunk, but I do have a question on mapping pools to virtuals. We use an iRule to select a pool to use based on HTTP Host Header on incoming HTTP requests, so there's no pool hard coded on the Virtual Servers. The iAPP resulting data seems to map the pools just fine if they're hard coded on the Virtual Server. Might be a stupid "of course you can't" question, but is there any way to create a dependancy between the Virtual Server and the pools, if they're dynamically selected by an iRule, using an iRule statement such as "pool [HTTP::host]-pool"? Seems Application Componant might somehow play into this, but couldn't find any doc that describes how that mapping attribute is used.

0
Comment made 12-Apr-2018 by Vladimir Akhmarov 26

I have a 4x 4200v with 150+ virtual servers. The overall traffic to Splunk appliance is 28 GB/day. This is too much.

0
Comment made 24-Apr-2018 by Juraj 173

I would have the same request as loremipsum above - a non-iApp way/instructions would be greatly appreciated. I'm trying to stay away from iApps as much as possible for exactly the same reason.

In my case now, the F5 Analytics iApp v3.7.0 deployment fails on almost a fresh F5VE with can't read "::verson": no such variable, and I pretty much don't know what to do other than open a support ticket (which I've done). The same error message as someone else had a year ago vOv

1
Comment made 04-May-2018 by clemtr 0

Any idea when 13.1 will be supported for analytics?

0
Comment made 07-Jun-2018 by The-messenger 359

I still have the issue with many, many errors in the logs /Common/ir-splunk_analytics-hec-forwarder-udp-snmptrap - can't read "msg": no such variable while executing "string trimright $msg ",""

and

Stats Response for splunk_analytics 1508851786 0 fail Stats Response for splunk_analytics 1508851786 1 fail Stats Response for splunk_analytics 1508851786 2 fail

I see others with the same issue but no resolution.

0
Comment made 10-Aug-2018 by ST Wong 261

Hi,

We are trying Analytics template v3.7.1 on BIG-IP 12.1.3.5, with Splunk server v7.0. Can only get following source while most of them are missing:

bigip.syslog bigip.adm bigip.snmptrap

We tried same setup sequence on BIG-IP 11.x and Splunk server v6.5 successfully. Would anyone please help?

Thanks a lot.

0
Comment made 3 months ago by krekri 0

Getting this error when trying to deploy the app. All settings are default but the must haves. I tried it like 30 times with different settings.

script did not successfully complete: ("script" unexpected argument while executing "tmsh::create [string range $args 7 end] " ("create" arm line 1) invoked from within "switch -exact -- [string range $args 0 5] { create { tmsh::create [string range $args 7 end] } modify { tmsh::modify [string r..." (procedure "iapp_conf" line 14) invoked from within "iapp_conf create sys icall script /Common/${::app}-send_stats1 { definition {$::icall_splunkstats} description none events none } " invoked from within "if {($::basic__stats eq "Yes") && ($::intro__localmode eq "No")} {

tmsh::log "FINEME $::statistics__pushconfig"

if {($::statistics__..." line:4402)

Few thing that i tried: - reinstall - release candidate and newest stable version - different settings to no settings at all - restart sys service scriptd

0
Comment made 3 months ago by mschlapfer 0

Getting this error in App after doing a Splunk upgrade. Anyone have any idea how to troubleshoot/resolve?

message from "python /opt/splunk/etc/apps/f5/bin/f5_kpi_summary_generator.py" F5 Health Summary Generator: Error in processing KPI for OrderedDict([('where1', 'InboundProxy_Comp_C_JC'), ('where2', 'vs_onalaska_Sonic02-p_12222'), ('index', 'f5-default'), ('count', '2501')]) (mismatched tag: line 35, column 2)

thanks, Marcel

0
Comment made 1 day ago by Alan Moen 122

In version 3.7.1, if the iHealth password has special characters (haven't worked out which special characters yet) it fails with Image Text If I change the password field to "123456" (not my real password), it works - although iHealth won't work that way. Do I need to dumb-down my iHealth password or is there a fix for this?

0
Comment made 8 hours ago by Alan Moen 122

Edit to add: This is also the case in v3.7.2rc5...

0