How to send statistics to Splunk

You can send data from your BIG-IP device(s) to Splunk for analysis. This tutorial leads you through the steps required to send data from a BIG-IP device to a Splunk instance.

Before you begin

tl/dr: Watch the installation video:

Set up Splunk to receive data

  1. Add a new HTTP Event Collector:

    • Click on the Apps gear icon.
    • Go to Settings ‣ Data inputs.
    • Click on HTTP Event Collector.
    • Click on Global Settings.
    • Click on Enabled.
    • Click Save.
    • Click on New Token.
    • Enter a name for the token, then click Next.
    • On the Input Settings screen, click Create a new index.
    • Name the index, then click Save.
    • Make sure the new index is the Default index.
    • Click Review, then click Submit.
    • Record the Token Value Splunk created for your HTTP Event Collector; you’ll configure the BIG-IP system with this value later.
  2. Install the F5 Analytics App.

    • In the Splunk GUI, click on Apps ‣ Find More Apps.
    • Search for “F5 Networks”.
    • Click Install and enter your credentials (this is your actual Splunk account, not the instance login).
    • Accept the license agreement, then click the Login and Install button.
    • When the installation is complete, you can view the App, or click Done.
  3. Configure your firewall to allow port 8088 to be open to Splunk.


    The event collector listens on port 8088 and requires HTTPS.

Send stats from a BIG-IP device to Splunk

Use the F5 Analytics iApp template to enable stats collection on your BIG-IP device and send the data to Splunk.

See also

The instructions provided here cover the basics of iApp deployment. See the F5 Analytics iApp Deployment Guide for additional details

Deploy the F5 Analytics iApp

Download the F5 Analytics iApp from DevCentral, then upload it to the Common partition on the BIG-IP device.

  1. Select IApps/Templates ‣ Import.
  2. Upload the iApp template (
  3. Select IApps/Application Services ‣ Create.
  4. Choose the template.
  5. Fill in the following fields; unspecified fields should use the default setting.
    • Name - [user defined]
    • Template -
    • Module HSL Streams - No
    • Local System Logging (syslog) - No
    • System SNMP Alerts - No
    • iHealth Snapshot Information - No
    • Facility Name - [user defined]
    • Default Tenant - [user defined]
    • Alternative Device Group - [user defined]
    • IP Address or Hostname - [SPLUNK_IP]
    • Port - 8088
    • Protocol - HTTPS
    • API Key - [SPLUNK_TOKEN]
    • Push Interval - 20
    • Mapping Table: 1 - Type=[App Name] From=[Virtual Name] Regex= (.*)_\d  Action=Map
    • Mapping Table: 2 - Type=[Tenant Name] From=[Partition] Regex=(.*) Action=Map
  6. Click Finished.