QKView LLM Wiki Runbook

Self-Improving Runbook  ·  Decision-Tree Walks  ·  Sterile by Design

A locally-hosted, compounding operational runbook for F5 BIG-IP QKView analysis. Stored as an Obsidian vault of interlinked Markdown files, it doesn't just store knowledge — it runs the output of over 20+ scripts against a check analysis playbook against a QKView diagnostic archive, gets smarter after every engagement through the re-ingestion of a deviation file created during the process, and never touches client data. Based on Andrej Karpathy's "LLM Wiki" pattern (See: References) — but evolved from static reference into a living procedure that refines itself.

⚠ Disclaimer

This documentation describes a tool built for internal use only. An F5 BIG-IP QKView file is an extraordinarily sensitive artifact — it contains running configurations, SSL certificate details, device serial numbers, registration keys, HA failover state, internal IP addressing, log entries that may include client traffic patterns, and in some cases plaintext credentials. Feeding a QKView into any cloud-hosted LLM service (free tier, consumer product, or shared API) means transmitting all of that data to a third party. Do not do this.

If you follow this pattern and build your own QKView analysis wiki, you should only run it against a Privately Hosted Local LLM (self-hosted, on-premises, no data leaves your network) or an Enterprise-Grade subscription with a vendor that contractually guarantees zero data retention, zero training on inputs, and zero human review of prompts (e.g., Azure OpenAI with a Data Processing Agreement, AWS Bedrock with appropriate safeguards, or equivalent). Read the terms of service carefully — most consumer LLM products explicitly reserve the right to train on your inputs. That is incompatible with QKView data. The author assumes no responsibility for data exposure resulting from misuse of this design pattern.

Important Note on Availability

This tool was built at work, for work. The actual QKView LLM Wiki repository — including all 20+ Python extractor scripts, the 72 wiki pages (and rising), the CLAUDE.md schema, and operational specifics that I will never be able to release. What I can provide is the complete design, architecture, operating model, and every lesson learned from building and running it — enough that someone following the same pattern against their own QKViews will arrive at the same result.

The Problem It Solves

F5 BIG-IP QKView diagnostic archives are the primary artifact for remote support cases and proactive health assessments. But analyzing them is slow, inconsistent, and heavily reliant on individual engineer experience. A QKView contains dozens of XML files, configuration dumps, log excerpts, certificate inventories, and hardware telemetry — and no two engineers will examine the same data the same way.

This wiki operationalizes a repeatable, documented analysis methodology:

  • Consistency — every QKView gets the same check walkthrough, regardless of who (or what) is running it (I literally told Claude that the goal is to have the "Stupidest" Model available provide a detailed and actionable report)
  • Completeness — checks cover filesystem, memory, CPU, HA, services, network, pools, certificates, logs, iRules, config hygiene, and tmctl statistics — nothing gets skipped
  • Repeatability — deterministic Python extractors pre-parse XML so the AI reads structured, pre-judged results instead of raw data
  • Improvement — every engagement that deviates from the playbook produces a lesson that gets generalized and filed back, making the next run more accurate
  • Sterility — client data never enters the wiki. Engagement output lives in an external workspace. The wiki stays clean enough to share, version, and reuse across every engagement

How It Differs from the TMSH Wiki

TMSH Wiki

  • Purpose: Static reference — look up TMSH syntax
  • Grows via: Adding source documents (K-articles, PDFs)
  • Operations: Ingest, Query, Lint
  • Access: Direct file reads, triggered by TMSH questions
  • Tools layer: None — pure knowledge base
  • Sterility: No constraint — no client data ever enters it
  • CLAUDE.md role: Gold-standard template for all other repos

QKView Wiki

  • Purpose: Self-improving runbook — walk a procedure against live data
  • Grows via: Engagement Refine passes (deviations → lessons)
  • Operations: Ingest, Query, Execute, Refine, Lint
  • Access: Mediated by qkview-analysis-skill for Execute
  • Tools layer: 20+ Python extractor scripts (deterministic pre-parsing)
  • Sterility: Prime Directive — no client data ever enters the repo
  • CLAUDE.md role: Instantiates the template with QKView-specific operations

Architecture

Vault Structure

  • raw/ — Immutable source documents (K-articles, SME notes)
  • samples/ — Sanitized QKView fixtures for testing
  • tools/ — 20+ Python extractor scripts + helpers
  • wiki/checks/ — 21 atomic check pages with decision graphs
  • wiki/drilldowns/ — 18 drilldown pages (triggered when checks trip thresholds)
  • wiki/playbooks/ — 2 playbooks (full-analysis + cold-start)
  • wiki/concepts/ — 11 F5 reference concept pages
  • wiki/lessons/ — 9 generalized lessons from past engagements
  • wiki/sources/ — 1 source summary per ingested K-article/doc
  • wiki/templates/ — Engagement output format template

Page Schema

  • YAML frontmatter: title, category, tags, sources, lessons, updated date
  • Check pages add: data_source, extractor, version_applies, thresholds, on_ok/on_warn/on_crit arrays
  • The on_ok/on_warn/on_crit arrays make the decision graph machine-walkable
  • The extractor field points to the Python script that pre-evaluates the threshold
  • Obsidian wikilinks for cross-references between checks, drilldowns, and concepts
  • Obsidian callouts for warnings, notes, and tips

Five Operations

  • Ingest — Drop a source into raw/, agent reads it, creates source summary + updates all relevant pages, updates index and log
  • Query — Standard question-answering against the wiki, with cited synthesis
  • Execute — Gated by qkview-analysis-skill. Walk the playbook against a live QKView. Write findings to external workspace. Queue deviations — never modify wiki inline during Execute
  • Refine — After Execute, generalize deviations (strip all client-identifying detail), route fixes to wiki vs. tools vs. both, apply on approval. The improvement engine
  • Lint — Health check: sterility violations (highest priority), contradictions, stale claims, orphan pages, threshold values without sources, missing version fields

The Extractor Layer

The 20+ Python scripts in tools/ are the deterministic parsing layer that separates fact-derivation from interpretation. Each extractor runs against a specific QKView XML artifact and emits structured Markdown with:

  • A leading result: ok|warn|crit|n/a line — the threshold judgment, already made
  • Captured data tables with the raw evidence
  • Drill-route signals (e.g., _usr_lv_branch: only_current_family)
  • Verify sections posing the wiki's named possible causes as numbered questions

This design was added after a second engagement revealed that Claude was sometimes skipping analytical work by not fully parsing raw XML — and a Haiku-class model test showed fabricated all-clears. The extractors make hallucinated all-clears structurally hard: a model walking the playbook reads pre-computed result: crit lines rather than trying to interpret raw XML.

🖥️

Platform & System — extract-platform, extract-filesystem, extract-memory, extract-cpu-load, extract-process-health, extract-license

🌐

Network & HA — extract-ha-sync-state, extract-services, extract-network-interface-health

⚖️

Application & Security — extract-pool-vs-availability, extract-certs, extract-irule-health, extract-config-hygiene

📊

tmctl Deep-Dive — extract-tmctl-virtual-servers, extract-tmctl-pools, extract-tmctl-irules, extract-tmctl-monitors, extract-tmctl-connections, extract-tmctl-ssl

🔍

Log Analysis — extract-log-stats

🔗

Correlation & Helpers — correlate (cross-section synthesis), extract_cmd (generic helper), find_down (pool/VS down detection)

Sterility — The Prime Directive

The QKView Wiki has a sterility constraint that the TMSH Wiki does not. The TMSH Wiki has no client data to protect — it is purely F5 vendor knowledge. The QKView Wiki is used against real client device data on every engagement. The constraint is absolute:

Forbidden anywhere in the wiki repo, including frontmatter, log entries, lesson files, commit messages, and filenames:

  • Client names, organization names, project codenames
  • Hostnames, device names, FQDNs
  • Device serial numbers, registration keys, license keys
  • IP addresses from any real environment (RFC 5737 docs ranges only in examples)
  • Certificate content, key material, fingerprints
  • Verbatim configuration excerpts from a real QKView
  • Engagement dates tied to a specific client
  • Support case IDs, ticket numbers

During Refine, the generalize step is mandatory and comes first. A deviation note from an engagement might say "client's /var was at 88% with rapid fill rate." That cannot enter the wiki. It becomes: "For /var, fill rate dominates absolute %. The 80-89 warn band should escalate to crit when fill rate exceeds ~N%/day." If generalization without losing the lesson is impossible, the lesson is flagged and skipped until it can be reworded.

How It Was Created

📐

Phase 1 — Concept & Design (2026-05-27) — Rather than feeding the generic LLM Wiki pattern prompt directly to Claude, a deliberate design process was followed first. The Karpathy Wiki LLM concept essay was placed in the vault root. Claude analyzed how the generic pattern should be adapted for QKView analysis specifically — treating it differently than the TMSH wiki because QKView analysis is procedural rather than reference-oriented. The analysis identified five key design decisions that became the foundation of the CLAUDE.md schema.

🧱

Phase 2 — Scaffold (2026-05-27) — Initial wiki created with just three pages: index.md, log.md, and overview.md. A playbook-cold-start was immediately added — a bootstrap-mode checklist that lets the agent walk a QKView by analyst judgment when the wiki has no coverage yet. The full analysis playbook didn't exist yet, but an engagement could still be run.

🚀

Phase 3 — First Engagement & Cold-Start Refine (2026-05-27) — The wiki went immediately into use on a real QKView engagement before the playbook existed. Cold-start mode generated a 23-entry deviation queue. The subsequent Refine pass generalized all 23 deviations into 38 new wiki pages — 15 check pages, 13 drilldown pages, 8 concept pages, 2 lessons, 1 playbook, 1 template, and 2 tools. This single Refine pass created the full playbook-full-analysis and most of the core wiki content.

🛡️

Phase 4 — Extractor Layer Added (2026-05-28) — After a second engagement revealed that Claude was sometimes skipping analytical work by not fully parsing raw XML (and a Haiku-class model test showed fabricated all-clears), seven Python scripts were written to deterministically parse QKView XML artifacts. The extractors emit structured Markdown with pre-computed threshold judgments, making hallucinated all-clears structurally hard.

📈

Phase 5 — TMCTL Deep-Dive Layer (2026-06-04) — A second extraction suite targeting stat_module.xml — the tmctl statistics tables exposing VS connection counts, pool pick rejections, iRule execution cycles, monitor instance states, connection table utilization, and SSL handshake performance. Six new Python scripts, six new check pages, three new drilldowns, and enriched operational context fields.

🔄

Phase 6 — Ongoing Refinement (2026-06-05, 2026-06-09, 2026-06-18) — Multiple Refine passes continuously improved both wiki and tools: output caps removed from extractor tables, EHF detection corrected, license service check staleness corrected (devices 371 days stale while processing traffic, proved by K000151595), ClientSSL vs ServerSSL impact differentiation in cert extractor, HA multicast interface false positive eliminated, /usr partition guidance expanded with APM and iRulesLX branches.

The Execute / Refine Cycle

The core innovation of this wiki over the TMSH reference model. This is where the "self-improving runbook" actually improves itself:

Execute (via qkview-analysis-skill)

  • The skill points the agent at a QKView file (outside the wiki repo)
  • Sets up an engagement workspace (also outside the wiki repo)
  • Walks playbook-full-analysis — 20+ checks in order
  • For each check: run the extractor script, read the result: line, if warn/crit read the check page + drilldown, verify against QKView artifacts
  • Write findings per template-findings.md with Diagnosed, Recommendation, K-articles fields
  • If anything doesn't fit: append a deviation note — don't modify wiki pages during Execute
  • Chains into humanizer and emailable-report for final deliverables

Refine (after Execute completes)

  • Triggered by a deviation queue path — a separate, deliberate session
  • Generalize step is mandatory and comes first — strip every engagement-shaped detail (client names, hostnames, IPs, percentages tied to a specific device)
  • Route the fix to the correct surface: wiki page, extractor script, or both
  • Propose changes per item, apply on approval
  • Update index.md and log.md
  • Execute operations never appear in log.md — only wiki-internal events (ingest, refine, deviation-filed, lint, edit)

The bi-directional nature of Refine — fixes route to either the wiki or the tools depending on whether the gap was interpretive or detection-based — is the project's central improvement mechanism.

Access Rules

Unlike the TMSH Wiki, the QKView Wiki does not have a simple trigger list. Its access is mediated entirely by the qkview-analysis-skill:

  • During an Execute pass (via the skill): the skill walks the playbook, and each check page and drilldown page is read as part of the execution loop. No page limit enforced during Execute — the playbook walks all relevant pages systematically
  • During Ingest, Refine, or Lint: wiki maintenance operations triggered manually against the wiki repo. Claude reads whatever pages are needed to correctly route and file deviations
  • The skill is the enforcement boundary that keeps engagement data out of the wiki. The wiki is sterile because the skill always writes output to an external path — there is no mechanism within the skill for findings to flow back into the repo

Current State

Total Pages 72 — 21 checks, 18 drilldowns, 2 playbooks, 11 concepts, 9 lessons, 1 source, 1 template, 1 overview
Extractor Scripts 20+ Python scripts in tools/ (platform, filesystem, memory, CPU, process, HA, services, network, pool/VS, certs, log stats, license, iRules, config hygiene, 6× tmctl, correlation, 2 helpers)
Engagements Completed 10+
Active Playbook playbook-full-analysis — 15 standard checks + 6 TMCTL deep-dive checks (21 total)
Cold-Start Fallback playbook-cold-start — bootstrap mode for novel platforms or empty-wiki scenarios
Last Wiki Change 2026-06-18 — ingest of /usr partition research doc expanding APM and iRulesLX guidance

Enhancement Opportunities

The extractor layer opens a design space the TMSH Wiki doesn't have. Because every check is backed by a deterministic Python script that emits structured Markdown, the system can be extended in ways a pure-knowledge-base cannot:

  • Automated regression testing — run every extractor against the sanitized sample QKViews and diff the output. Drift in the check logic becomes visible immediately.
  • CI pipeline integration — every Refine pass that modifies an extractor or a check page could trigger an automated test suite against the fixtures.
  • Threshold calibration — the extractors emit the raw numbers alongside the judgment. Over time, the distribution of real-world results can be used to tune the warn/crit bands with evidence rather than intuition.
  • Multi-device correlation — running the skill against both members of an HA pair and cross-referencing the deviation queues could surface asymmetric configuration drift.
  • MCP conversion — the extractor scripts could be wrapped as MCP tool calls, making the QKView analysis capability available to any agent, not just Claude Code sessions pointed at the wiki repo.

Details

Status Active — engagements ongoing, wiki compounding with every run
Origin Date May 2026
Pattern Adapted from Andrej Karpathy's "LLM Wiki" concept — evolved from static reference to self-improving runbook
Storage Obsidian vault (interlinked Markdown + Python extractors)
Operations Ingest, Query, Execute, Refine, Lint (three more than the TMSH Wiki)
Sterility Prime Directive — no client-identifying data ever enters the repo
Skill Integration qkview-analysis-skill — the only entry point for Execute mode
Availability Built at work for work — the repository cannot be released. Full design record is provided so others can follow the pattern.

Reference

Andrej Karpathy's GitHub Article: LLM Wiki

Related Project: TMSH LLM Wiki Brain — the static reference companion that shares the same vault architecture

Related Project: iControl LLM Wiki Brain — the REST API companion (in progress)