Nimbostratus
Cirrostratuswhy don't you try below IRULE ( CREATE A POOL Pool-syslog) contain splunk server
when DNS_REQUEST {
set client_addr [IP::client_addr]
set dns_server_addr [IP::local_addr]
set question_name [DNS::question name]
set question_class [DNS::question class]
set question_type [DNS::question type]
set data_center [whereami]
set geo_information [join [whereis $client_addr] ;]
set gtm_server [whoami]
set wideip [wideip name]
set dns_len [DNS::len]
set hsl [HSL::open -proto UDP -pool Pool-syslog]
HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=$client_addr,dns_server_ip=$dns_server_addr,src_geo_info=$geo_information,question_name=$question_name,question_class=$question_class,question_type=$question_type,data_center=$data_center,gtm_server=$gtm_server,wideip=$wideip,dns_len=$dns_len\r\n"
}