Macros for log data

This reference includes some example macro definitions for log data and lists the available macros for each log data source type that is used in the IBM Z® Operational Log and Data Analytics dashboards and predefined searches.

For each macro, the following information is also listed:
  • The expected values for the index and the log data source type for both an Z Common Data Provider Data Receiver subscriber and a Splunk HEC subscriber
  • For data to be streamed to the Splunk subscriber, the name of the associated IBM Z Operational Log and Data Analytics data stream that must be defined for the respective log data source type in the Z Common Data Provider Configuration Tool policy
Note: All log data source types for version 4.1.02 and later versions of the Z Operational Log and Data Analytics Splunk application are configured by default to use the zosdex index. To help improve search performance, a unique index and corresponding search macro are defined for each log data source type that is used by dashboards and saved searches in 5.1.0 and later versions of the IBM Z Operational Log and Data Analytics Splunk application. The zosdex index for the affected source types is included in the macros for migration purpose only. If you do not need to access historical log data in the zosdex index, to improve search performance, edit the macro definitions and remove index=zosdex.

Example macro definitions for syslogd data

The following examples are macro definitions for UNIX System Services system log (syslogd) data:
  • By default, the macro is defined to show results in the dashboards and predefined searches for a Data Receiver subscriber (with migration for the pre-5.1.0 log data) or a HEC subscriber.
    
    ((index=zos-syslogd OR index=zosdex OR index=zosdex_kv) AND  
    (sourcetype=zOS-syslogd OR sourcetype=zOS-syslogd_KV))
    
  • Edit the macro to show results for only a Data Receiver subscriber, with migration for pre-5.1.0 log data.
    
    ((index=zos-syslogd OR index=zosdex) AND (sourcetype=zOS-syslogd))
    
  • Edit the macro to show results for only a Data Receiver subscriber, without migration for pre-5.1.0 log data.
    
    (index=zos-syslogd AND sourcetype=zOS-syslogd)
    
  • Edit the macro to show results for only a HEC subscriber.
    
    (index=zosdex_kv AND sourcetype=zOS-syslogd_KV)
    

Available macros for each log data source type

Table 1 lists the available macros for each log data source type that is used in the IBM Z Operational Log and Data Analytics dashboards and predefined searches.
For each macro, the following information is also shown:
  • The expected values for the index and the log data source type for both an Z Common Data Provider Data Receiver subscriber and a Splunk HEC subscriber
  • For data to be streamed to the Splunk subscriber, the name of the associated IBM Z Operational Log and Data Analytics data stream that must be defined for the respective log data source type in the Z Common Data Provider Configuration Tool policy
Table 1. Available macros for each log data source type
Macro Index Log data source type Data stream in the policy
zOS-CICS-EYULOG
  • Data receiver:
    • zos-cics-eyulog
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-EYULOG
  • HEC:
    • zOS-CICS-EYULOG_KV
CICS EYULOG
zOS-CICS-EYULOGDMY
  • Data receiver:
    • zos-cics-eyulogdmy
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-EYULOGDMY
  • HEC:
    • zOS-CICS-EYULOGDMY_KV
CICS EYULOG DMY
zOS-CICS-EYULOGYMD
  • Data receiver:
    • zos-cics-eyulogymd
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-EYULOGYMD
  • HEC:
    • zOS-CICS-EYULOGYMD_KV
CICS EYULOG YMD
zOS-CICS-MSGUSR
  • Data receiver:
    • zos-cics-msgusr
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-MSGUSR
  • HEC:
    • zOS-CICS-MSGUSR_KV
CICS User Messages
zOS-CICS-MSGUSRDMY
  • Data receiver:
    • zos-cics-msgusrdmy
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-MSGUSRDMY
  • HEC:
    • zOS-CICS-MSGUSRDMY_KV
CICS User Messages DMY
zOS-CICS-MSGUSRYMD
  • Data receiver:
    • zos-cics-msgusrymd
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-CICS-MSGUSRYMD
  • HEC:
    • zOS-CICS-MSGUSRYMD_KV
CICS User Messages YMD
zOS-NetView
  • Data receiver:
    • zos-netview
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-NetView
  • HEC:
    • zOS-NetView_KV
NetView Netlog
zOS-SYSLOG
  • Data receiver:
    • zos-syslog-console
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-SYSLOG-Console
  • HEC:
    • zOS-SYSLOG-Console_KV
z/OS SYSLOG
zOS-syslogd
  • Data receiver:
    • zos-syslogd
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-syslogd
  • HEC:
    • zOS-syslogd_KV
USS Syslogd
zOS-WAS-SYSOUT
  • Data receiver:
    • zos-was-sysout
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-WAS-SYSOUT
  • HEC:
    • zOS-WAS-SYSOUT_KV
WebSphere SYSOUT
zOS-WAS-SYSPRINT
  • Data receiver:
    • zos-was-sysprint
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-WAS-SYSPRINT
  • HEC:
    • zOS-WAS-SYSPRINT_KV
WebSphere SYSPRINT
zOS-zSecure
  • Data receiver:
    • zos-zsecure
    • zosdex (pre-5.1.0)
  • HEC:
    • zosdex_kv
  • Data receiver:
    • zOS-zSecure
  • HEC:
    • zOS-zSecure_KV
zSecure Access Monitor