Skip to content

Commit

Permalink
Merge pull request #499 from splunk/master
Browse files Browse the repository at this point in the history 
Merge back F5 json irule
  • Loading branch information
Ryan Faircloth authored and GitHub committed May 29, 2020
2 parents c5a9ef5 + 8a8a3d6 commit 5f6770b
Show file tree
Hide file tree
Showing 4 changed files with 164 additions and 71 deletions.
3 changes: 3 additions & 0 deletions docs/sources/F5/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
| f5:bigip:ltm:failed:irule | None |
| f5:bigip:asm:syslog | None |
| nix:syslog | None |
| f5:bigip:ltm:access_json | User defined configuration via irule producing a RFC5424 syslog event with json content within the message field `<111>1 2020-05-28T22:48:15Z foo.example.com F5 - access_json - {"event_type":"HTTP_REQUEST", "src_ip":"10.66.98.41"}` This source type requires a customer specific Splunk Add-on for utility value |


### Index Configuration

Expand All @@ -30,6 +32,7 @@
| f5_bigip_irule | netops | none |
| f5_bigip_asm | netwaf | none |
| f5_bigip_nix | netops | if `f_f5_bigip` is not set the index osnix will be used |
| f5_bigip_access_json | netops | none |

### Filter type

Expand Down
1 change: 1 addition & 0 deletions package/etc/conf.d/filters/f5/bigip.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ filter f_f5_bigip {
or program("apmd")
or program("tmm\d?")
or program('^f5_irule=')
or program('F5')
or message('^f5_asm=Splunk-F5-ASM');
};

Expand Down
24 changes: 11 additions & 13 deletions package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,19 +36,17 @@ log {
parser { p_add_context_splunk(key("f5_bigip")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
# } elif {
# filter {
# program('apmd')
# };
# rewrite {
# set("f5_bigip", value("fields.sc4s_vendor_product"));
# set("${PROGRAM}", value(".PROGRAM"));
# subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM"));
# r_set_splunk_dest_default(sourcetype("f5:bigip:apm:syslog"), index("netops"), source("program:${.PROGRAM}"))
# };
# parser { p_add_context_splunk(key("f5_bigip")); };
# parser (compliance_meta_by_source);
# rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
} elif {
filter {
program('F5') and match('access_json' value('MSGID'))
};
rewrite {
set("f5_bigip_access_json", value("fields.sc4s_vendor_product"));
r_set_splunk_dest_default(sourcetype("f5:bigip:ltm:access_json"), index("netops"))
};
parser { p_add_context_splunk(key("f5_bigip_access_json")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
} elif {
filter {
program('^f5_irule=')
Expand Down

0 comments on commit 5f6770b

Please sign in to comment.