Thomas_Gobet
Apr 11, 2014Nimbostratus
Pool status in Splunk for F5 Networks
Hi all,
I made some tests on Splunk with the 11.5.0 TMOS version.
My tests were on AFM, LTM and also syslog events.LTM (with the iRule included) and AFM work fine, but for syslog events there's something wrong.
If you want to have your pool status statistics on your Splunk, you have to parse syslog events.
But those events have changed with the 11.5.0 version so here is the newest regex you'll need./\]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+)\.\s?\[?\s?(?:\S+)?\:?\s?(?:\S+)?\s?\]?\s+?\[\swas\s(\S+)\sfor\s(\S+)/
This regex goes to /opt/splunk/etc/apps/SplunkforF5Networks/default/transforms.conf under [f5-syslog-eventcode]
I still have something missing into my Splunk configuration because I don't have all my pool status.
If anybody has already play with it, could you tell me where I'm wrong ?
Thanks.