Macros for log data
This reference includes some example macro definitions for log data and lists the available macros for each log data source type that is used in the IBM Z® Operational Log and Data Analytics dashboards and predefined searches.
For each macro, the following information is also listed:
- The expected values for the index and the log data source type for both an Z Common Data Provider Data Receiver subscriber and a Splunk HEC subscriber
- For data to be streamed to the Splunk subscriber, the name of the associated IBM Z Operational Log and Data Analytics data stream that must be defined for the respective log data source type in the Z Common Data Provider Configuration Tool policy
Note: All log data source types for version 4.1.02 and later versions of the Z Operational Log and Data Analytics Splunk application are
configured by default to use the
zosdex
index. To help improve search performance,
a unique index and corresponding search macro are defined for each log data source type that is used
by dashboards and saved searches in 5.1.0 and later versions of the IBM Z Operational Log and Data Analytics Splunk application. The
zosdex
index for the affected source types is included in the macros for migration
purpose only. If you do not need to access historical log data in the zosdex
index,
to improve search performance, edit the macro definitions and remove
index=zosdex
.Example macro definitions for syslogd data
The following examples are macro definitions for UNIX System Services system log (syslogd) data:
- By default, the macro is defined to show results in the dashboards and predefined searches for a
Data Receiver subscriber (with migration for the pre-5.1.0 log data) or a HEC
subscriber.
((index=zos-syslogd OR index=zosdex OR index=zosdex_kv) AND (sourcetype=zOS-syslogd OR sourcetype=zOS-syslogd_KV))
- Edit the macro to show results for only a Data Receiver subscriber, with migration
for pre-5.1.0 log data.
((index=zos-syslogd OR index=zosdex) AND (sourcetype=zOS-syslogd))
- Edit the macro to show results for only a Data Receiver subscriber, without
migration for pre-5.1.0 log data.
(index=zos-syslogd AND sourcetype=zOS-syslogd)
- Edit the macro to show results for only a HEC
subscriber.
(index=zosdex_kv AND sourcetype=zOS-syslogd_KV)
Available macros for each log data source type
Table 1 lists the available macros for
each log data source type that is used in the IBM Z Operational Log and Data Analytics dashboards and predefined
searches.
For each macro, the following information is also shown:
- The expected values for the index and the log data source type for both an Z Common Data Provider Data Receiver subscriber and a Splunk HEC subscriber
- For data to be streamed to the Splunk subscriber, the name of the associated IBM Z Operational Log and Data Analytics data stream that must be defined for the respective log data source type in the Z Common Data Provider Configuration Tool policy
Macro | Index | Log data source type | Data stream in the policy |
---|---|---|---|
zOS-CICS-EYULOG |
|
|
CICS EYULOG |
zOS-CICS-EYULOGDMY |
|
|
CICS EYULOG DMY |
zOS-CICS-EYULOGYMD |
|
|
CICS EYULOG YMD |
zOS-CICS-MSGUSR |
|
|
CICS User Messages |
zOS-CICS-MSGUSRDMY |
|
|
CICS User Messages DMY |
zOS-CICS-MSGUSRYMD |
|
|
CICS User Messages YMD |
zOS-NetView |
|
|
NetView Netlog |
zOS-SYSLOG |
|
|
z/OS SYSLOG |
zOS-syslogd |
|
|
USS Syslogd |
zOS-WAS-SYSOUT |
|
|
WebSphere SYSOUT |
zOS-WAS-SYSPRINT |
|
|
WebSphere SYSPRINT |
zOS-zSecure |
|
|
zSecure Access Monitor |