BLOG

Delivering Deeper Insight and Visibility for BIG-IP with Splunk

F5 Thumbnail
F5
Published November 12, 2020

“It is a capital mistake to theorize before one has data.” – Sherlock Holmes


Arthur Conan Doyle’s legendary character got a lot right. (His opinion on the importance of data being lumped into that assessment.) But imagine for a moment if this 19th century gumshoe was suddenly transported to 2020—where information is not only ubiquitous but can often be overwhelming. Would he still complain about a lack of data if he needed to solve a security puzzle?

Taken a step further, what if he was tasked with making sense of the security data, event logs, and inputs from the many different devices and services that make up an enterprise network?

Even Holmes’ famous thirst for data would be quenched in that deluge (read: he would definitely drown).

Fortunately, those whose job it is to make sense of (and take action based on) enterprise network information don’t have to rely on fictional detectives from Victorian England. There are solutions that do the heavy lifting—such as Splunk.

Splunk’s Security Information and Event Management (SIEM) solution is used by organizations all over the world to ingest and assimilate a constant stream of unorganized, unstructured, multi-sourced network data into meaningful, consumable, correlated dashboards—helping to drive informed decisions and strategy.

Splunk and F5

Admittedly, one of the “chattier” devices in many enterprise networks is F5 BIG-IP. Because BIG-IP excels at inspecting, analyzing, filtering, and reporting on network traffic, it creates a lot of very useful data. However, parsing and extracting insight from this stream of information is no small feat. This was one of the primary drivers for the development of the Splunk Add-on for F5 BIG-IP. This fully Splunk-supported add-on makes it possible for Splunk administrators to pull network traffic data, system logs, system settings, performance metrics, and traffic stats from their BIG-IPs using syslogs, iRules, and the iControl REST API.

Improving on the Add-on

While this integration provided a ton of value for F5 and Splunk users, both companies also believe in making good things great. One of the ways this is being accomplished is by leveraging the declarative and F5-supported Automation Toolchain—specifically Telemetry Streaming—to improve how BIG-IP and Splunk communicate. Instead of having to input a set of imperative commands—a process that requires F5 subject matter expertise—Telemetry Streaming only needs a single JSON declaration, meaning you tell it the end state you want and it will aggregate, normalize, and forward BIG-IP statistics to Splunk.

"F5 BIG-IP is a very important data source for many security and operations teams. We are strongly urging our joint customers to adopt the new Telemetry Streaming integration. The Telemetry Streaming option is easy to configure and work with thanks to the JSON formatted messages and use of the Splunk HTTP Event Collector (HEC)."

– Mark Karlstrand, Senior Product Manager, Splunk

In addition to overall simplification via declarative interfaces, leveraging Telemetry Streaming as the underlying mechanism for the BIG-IP and Splunk integration means that the data will be pushed from BIG-IP into Splunk rather than pulled—helping to build more automated workflows. This new approach for the Splunk add-on for BIG-IP:

  • Simplifies the process of getting data from BIG-IP into Splunk
  • Adds more detail to the reporting dashboard
  • Helps future proof the integration as F5 continues to invest in declarative interfaces for its products and integrations
  • Remains fully supported by F5 (Telemetry Streaming) and Splunk (Add-on for BIG-IP)

The latest version of the add-on for BIG-IP is available now for Splunk customers. You can find it on Splunkbase.