A couple of things for people installing/configuring this app:
These are over & above the instructions that come with the app:
a) Ensure your *$SPLUNK_HOME/etc/apps/xxx_all_indexes/local/indexes.conf* has been deployed to the HF. The configuration screen for the Tasks will only allow you to select from a drop-down of locally configured indexes. (Or manually update *$SPLUNK_HOME/etc/SYSTEM/local/indexes.conf*)
b) Ensure the user on the F5 has Admin & terminal permissions
c) After you create the Server & create the Task to collect the data directly from the F5's ensure you edit the Task and re-direct it to an index other than 'main'
d) BUG & Workaround: Observed with Splunk 6.2.6 - TA was deployed to an HF and once properly collecting data into '<your index here>' you can't search for results within a date/time range, you must search using 'All time'. To correct this, on your HF (or wherever you are collecting the data) and update/create the following file:
**Update file: $SPLUNK_HOME/etc/apps/Splunk_TA_f5-bigip/local/props.conf**
[f5_bigip:icontrol]
DATETIME_CONFIG = current
[f5:bigip:icontrol]
DATETIME_CONFIG = current
**Note**: *I did add the same option to all the other sourcetype stanzas as well, such as: [f5:bigip:gtm:dns:request:irule], [f5:bigip:system:systeminfo:icontrol], etc... I didn't test without them but I don't think you need them. They are all listed in the props.conf in the default directory*
Going forward, all new events ingested will be searchable by time-range.
↧