{"id":403,"date":"2017-12-05T11:00:52","date_gmt":"2017-12-05T19:00:52","guid":{"rendered":"http:\/\/www.ossintegrators.com\/blog\/?p=403"},"modified":"2017-12-13T13:42:35","modified_gmt":"2017-12-13T21:42:35","slug":"which-f5-app-should-i-use-with-splunk","status":"publish","type":"post","link":"http:\/\/www.ossintegrators.com\/blog\/which-f5-app-should-i-use-with-splunk\/","title":{"rendered":"Which F5 App Should I Use with Splunk?"},"content":{"rendered":"<div style=\"padding-bottom:20px; padding-top:10px;\" class=\"hupso-share-buttons\"><!-- Hupso Share Buttons - http:\/\/www.hupso.com\/share\/ --><a class=\"hupso_toolbar\" href=\"http:\/\/www.hupso.com\/share\/\"><img decoding=\"async\" src=\"http:\/\/static.hupso.com\/share\/buttons\/share-small.png\" border=\"0\" style=\"padding-top:5px; float:left;\" alt=\"Share\"\/><\/a><script type=\"text\/javascript\">var hupso_services_t=new Array(\"Twitter\",\"Facebook\",\"Google Plus\",\"Linkedin\",\"Digg\",\"Reddit\");var hupso_toolbar_size_t=\"small\";var hupso_counters_lang = \"en_US\";var hupso_url_t=\"\";var hupso_title_t=\"Which F5 App Should I Use with Splunk?\";<\/script><script type=\"text\/javascript\" src=\"http:\/\/static.hupso.com\/share\/js\/share_toolbar.js\"><\/script><!-- Hupso Share Buttons --><\/div><p><span style=\"font-size: 12pt;\"><a name=\"OLE_LINK1\"><\/a>So you have Splunk and F5&#8217;s but are thoroughly confused about which F5 App to use because Splunkbase has eight!<br \/>\n<\/span><\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" src=\"http:\/\/www.ossintegrators.com\/blog\/wp-content\/uploads\/2017\/12\/120517_1839_WhichF5AppS1.png\" alt=\"\" \/><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\"> It&#8217;s actually simpler than it seems, so let&#8217;s do a rundown of what each F5 App actually does.<br \/>\n<\/span><\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/2675\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Query<br \/>\n<\/span><\/a><\/p>\n<p><span style=\"font-size: 12pt;\">This App provides a custom Splunk command that allows you to query the status of F5 vServers and Pools. While very cool, it only provides the <em>capability<\/em> to write your own limited set of F5 dashboards.<br \/>\n<\/span><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/2873\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 WAF Security<\/span><\/a><span style=\"color: #2e74b5; font-size: 13pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\">This open-source App provides dashboards specific to the F5 WAF (Web Application Firewall). If that is all you need to monitor, then getting this App up and running is very straightforward.<br \/>\n<\/span><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/815\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Security<br \/>\n<\/span><\/a><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/1875\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Networks Remote Access<br \/>\n<\/span><\/a><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/812\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Networks LTM<br \/>\n<\/span><\/a><\/p>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/814\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Access Visibility<br \/>\n<\/span><\/a><\/p>\n<p><span style=\"font-size: 12pt;\">These Apps have been around for quite a while (pre Splunk 6.x) and while they still work, they suffer from two major issues:<br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">They get <strong><em>all<\/em><\/strong> of their data via syslog \u2013 which means you are missing the majority of the data that your F5&#8217;s can produce.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Many of their dashboards use Advanced XML, which has been <a href=\"http:\/\/docs.splunk.com\/Documentation\/Splunk\/6.6.4\/AdvancedDev\/Whatsinthismanual\"><span style=\"color: #0563c1; text-decoration: underline;\">deprecated<\/span><\/a> for years. Sure, it still works even in Splunk 7.0 \u2013 but if you want to customize them you&#8217;re on your own.<br \/>\n<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/2680\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">Splunk Add-on for F5 BIG-IP<\/span><\/a><span style=\"color: #2e74b5; font-size: 13pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\">This is the latest Splunk supported method for ingesting F5 data. It has a number of advantages over all the other Apps:<br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">Via REST calls, it can gather <strong><em>much<\/em><\/strong> more data than is possible via syslog.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">It <strong><em>also<\/em><\/strong> gathers and processes all the syslog data that the other Apps do.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">It maps the majority of its data to the Splunk <a href=\"http:\/\/docs.splunk.com\/Documentation\/CIM\/4.9.1\/User\/Overview\"><span style=\"color: #0563c1; text-decoration: underline;\">Common Information Model<\/span><\/a>, which means it supports Splunk <a href=\"http:\/\/docs.splunk.com\/Documentation\/ES\"><span style=\"color: #0563c1; text-decoration: underline;\">Enterprise Security<\/span><\/a> OOB.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">This\u00a0Add-On is required if you want to leverage the <a href=\"http:\/\/docs.splunk.com\/Documentation\/ITSI\/3.0.0\/IModules\/AboutLoadBalancerModule\"><span style=\"color: #0563c1; text-decoration: underline;\">ITSI Load Balancer module<\/span><\/a>.<br \/>\n<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 12pt;\">That being said, it has several disadvantages:<br \/>\n<\/span><\/p>\n<ul style=\"margin-left: 39pt;\">\n<li><span style=\"font-size: 12pt;\">It does not scale well because it gathers its data via REST. I&#8217;m not saying that REST does not scale, just that the Splunk\/F5 REST does not scale much beyond a small-ish number of F5&#8217;s per HF (it also depends on how much each F5 is &#8220;doing&#8221;) .<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">It has a limited number of dashboard panels, which means actually using it requires you to develop your own dashboards (or purchase ITSI).<\/span><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/splunkbase.splunk.com\/app\/3161\/\"><span style=\"color: #0563c1; font-size: 13pt; text-decoration: underline;\">F5 Analytics (new)<br \/>\n<\/span><\/a><\/p>\n<p><span style=\"font-size: 12pt;\">This is the App you should be running because it has <em>very<\/em> comprehensive coverage of the F5 (full disclosure: I worked on this App):<br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">It covers the majority of F5 subsystems \u2013 Device Groups, Devices, Application Pools, Tenants, Security, Clients, DNS, etc. In fact, just one tab of one dashboard contains a comprehensive URL analysis system!<br \/>\n<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/www.ossintegrators.com\/blog\/wp-content\/uploads\/2017\/12\/120517_1839_WhichF5AppS2.png\" alt=\"\" \/><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"color: #44546a; font-size: 9pt;\"><em>Figure 1 &#8211; Web Analytics Example<br \/>\n<\/em><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">It makes extensive use of drilldowns, allowing you to begin at a high-level and then drill into data that requires investigation.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">All data is collected in a &#8220;push&#8221; manner from F5 to Splunk. You install an iApp, configure it, and then data is forwarded to Splunk via HTTP Event Collector (HEC). Note that syslog and SNMP traps are <em>also<\/em> sent via HEC (if so desired).<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">The implementation is extensively documented and covers all versions of BigIP from 10.x \u2013 12.x.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">It has a comprehensive built-in KPI system that covers both device-level KPI&#8217;s (e.g. CPU, memory, disk) and application-level KPI&#8217;s (e.g. pool members, server latency). Think of it as &#8220;ITSI-lite&#8221;!<br \/>\n<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/www.ossintegrators.com\/blog\/wp-content\/uploads\/2017\/12\/120517_1839_WhichF5AppS3.png\" alt=\"\" \/><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"color: #44546a; font-size: 9pt;\"><em>Figure 2 &#8211; Device KPIs Example<br \/>\n<\/em><\/span><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.ossintegrators.com\/blog\/wp-content\/uploads\/2017\/12\/120517_1839_WhichF5AppS4.png\" alt=\"\" \/><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"color: #44546a; font-size: 9pt;\"><em>Figure 3 &#8211; Application KPIs Example<br \/>\n<\/em><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">It makes extensive use of outlier detection to allow you to spot out-of-normal behavior quickly \u2013 both visually (see below) and via the KPI system:<br \/>\n<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"http:\/\/www.ossintegrators.com\/blog\/wp-content\/uploads\/2017\/12\/120517_1839_WhichF5AppS5.png\" alt=\"\" \/><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"color: #44546a; font-size: 9pt;\"><em>Figure 4 &#8211; Visual Outlier Example<br \/>\n<\/em><\/span><\/p>\n<p><span style=\"font-size: 12pt;\">Two caveats to note:<br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 12pt;\">The 1.0 version of this App is <em>not<\/em> CIM compatible so the data will not show up in Enterprise Security.<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 12pt;\">Similarly, it does <em>not<\/em> support the <a href=\"http:\/\/docs.splunk.com\/Documentation\/ITSI\/3.0.0\/IModules\/AboutLoadBalancerModule\"><span style=\"color: #0563c1; text-decoration: underline;\">ITSI Load Balancer module<\/span><\/a>.<br \/>\n<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #2e74b5; font-size: 13pt;\">Conclusion<br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\">If you have both Splunk and F5, then you should definitely check out the <a href=\"https:\/\/splunkbase.splunk.com\/app\/3161\/\"><span style=\"color: #0563c1; text-decoration: underline;\">F5 Networks \u2013 Analytics (new<\/span><\/a>) App, even if you are an ES and\/or ITSI shop.<br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-size: 12pt;\"><br \/>\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<div style=\"padding-bottom:20px; padding-top:10px;\" class=\"hupso-share-buttons\"><!-- Hupso Share Buttons - http:\/\/www.hupso.com\/share\/ --><a class=\"hupso_toolbar\" href=\"http:\/\/www.hupso.com\/share\/\"><img src=\"http:\/\/static.hupso.com\/share\/buttons\/share-small.png\" border=\"0\" style=\"padding-top:5px; float:left;\" alt=\"Share\"\/><\/a><script type=\"text\/javascript\">var hupso_services_t=new Array(\"Twitter\",\"Facebook\",\"Google Plus\",\"Linkedin\",\"Digg\",\"Reddit\");var hupso_toolbar_size_t=\"small\";var hupso_counters_lang = \"en_US\";var hupso_url_t=\"\";var hupso_title_t=\"Which F5 App Should I Use with Splunk?\";<\/script><script type=\"text\/javascript\" src=\"http:\/\/static.hupso.com\/share\/js\/share_toolbar.js\"><\/script><!-- Hupso Share Buttons --><\/div><p>So you have Splunk and F5&#8217;s but are thoroughly confused about which F5 App to use because Splunkbase has eight! It&#8217;s actually simpler than it seems, so let&#8217;s do a rundown of what each F5 App actually does.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6],"tags":[57,53],"class_list":["post-403","post","type-post","status-publish","format-standard","hentry","category-splunk","tag-f5","tag-splunk"],"_links":{"self":[{"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/posts\/403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/comments?post=403"}],"version-history":[{"count":8,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/posts\/403\/revisions"}],"predecessor-version":[{"id":426,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/posts\/403\/revisions\/426"}],"wp:attachment":[{"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/media?parent=403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/categories?post=403"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.ossintegrators.com\/blog\/wp-json\/wp\/v2\/tags?post=403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}