Splunk indexes

Rather than storing all events from Transaction Analysis Workbench in the same Splunk index, you might prefer to use multiple indexes. Here are some methods for controlling which indexes events are stored in.

The following examples assume that you have already created the indexes that you want to use.

Per port

You can define a TCP input (port) for each index.

For example, in inputs.conf:

[tcp://:6068]
# Miscellaneous z/OS events
index = fuw

[tcp://:6069]
# CICS events
index = cics

[tcp://:6070]
# DB2 events
index = db2

With this method, it is up to you forward the logs to the corresponding port for that index. When writing the JCL to forward logs, you must ensure that the JSON commands for the logs that you want stored in cics refer to the STREAM command for the correct port.

Per stream

If you add the following setting to your Splunk inputs.conf stanza:

requireHeader = true

then you can use the HEADER parameter of the Transaction Analysis Workbench STREAM command to send a header line that overrides the index for events sent in the subsequent JSON Lines. For example:

STREAM NAME(SPLUNK) +
       HEADER(***SPLUNK*** index=cics)

Per event

You can use transforms in Splunk to override the index per event.

Each line of JSON Lines from Transaction Analysis Workbench contains a type field that matches the log type of the original log record. You can use this field to specify the Splunk index. For example, in props.conf, append the following line to the stanza for the corresponding source type or input:

TRANSFORMS-changeindex = set_index_fuw

and add the following stanza to transforms.conf:

[set_index_fuw]
# Route events to type-specific index, or fall back to default index
REGEX = \"type\":\"(dtr|cmf|ims)-
FORMAT = $1
DEST_KEY = _MetaData:Index
DEFAULT_VALUE = misc