I posted a similar question about 2 weeks ago and I am still not able to get the data that I send to splunk to have the proper json format. Has anyone either configured their own log pool, log destination and log published or used the f5 supported iapps template f5 analytics version f5.analytics.v3.7.0 to send log data to splunk ?
I will include my HSL::open and HSL:send commands and my log command as well as a screen print with the problem we are trying to solve. What I have been told is that the red color in splunk is the key and the light blue is the value. When I just use the log statement everything is formatted correctly in splunk. When I use the HSL::send command everything I send becomes the key and then the value is something called hostname which is not usable. I have the need to send massive amounts of data to splunk so it is prohibitive to use the log command and put all this data also on local disk.
set hsl [HSL::open -proto TCP -pool analytics-iapp-hec-forwarder-tcp-log-stage0]
HSL::send $hsl "<190>,hsl test,f5_irule=hsl_splunk_logging_new,client_ip=$client, client_port=$client_port, vip_ip=$vip, vip_port=$vip_local_port, snat_ip=$self_ip,snat_port=$self_ip_local_port,remote_ip=$node,remote_port=$node_server_port "
log local0.info "hsltest Event=CLIENT_CLOSED protocol=tcp hsl=$hsl client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port "![Image Text](/Portals/0/Users/210/54/185554/2018.06.11.sample.hsl.and.syslog.PNG?ver=2018-06-13-082447-437)
let me try and post a larger image.
can anyone confirm that on the splunk server side whether both
need to be installed ?