This query provides a pointmap of usernames successfully logging into F5 boxes via the latest RCE:
tag=<your F5 restjavad log tag> words User successfully logged
| regex "User (?P<user>\S+) successfully logged in from (?P<ip>\S+) using"
| geoip ip.Location
| pointmap user
Additional information available at: research nccgroup