Deploying the Z Operational Log and Data Analytics application on a single Splunk Enterprise system
The advantage of deploying the IBM Z® Operational Log and Data Analytics application on a single Splunk Enterprise system is that the deployment is simple and quick.
About this task
The steps in this procedure must be done on the system where the web browser is running rather than on the Splunk Enterprise server.
To deploy the IBM Z Operational Log and Data Analytics application, complete the following steps:
If you are using the Z Common Data Provider
Data Receiver as a subscriber, install and configure the Data Receiver.
Important: The Data Receiver working directory and output directory must also be available to Splunk. If you want to set these directories as environment variables, verify that the Data Receiver working directory is assigned to the environment variable CDPDR_HOME, and that the Data Receiver output directory is assigned to the environment variable CDPDR_PATH, as described in Setting up a working directory and an output directory for the Data Receiver. If you do not want to change your system environment variables, you can specify CDPDR_HOME and CDPDR_PATH in SPLUNK_HOME/etc/splunk-launch.conf.
- Start the Data Receiver, as described in Running the Data Receiver.
Define a policy with the Data Receiver as the subscriber.
For more information, see Subscribers to a data stream or transform.
Mount the IBM Z Operational Log and Data Analytics ISO
installation image, or extract the IBM Z Operational Log and Data Analytics
For more information about how to get the package, see Obtaining and preparing the installation files.
- Log in to Splunk.
From the Splunk Web Home page, click the gear icon that is next to the word
- Select Install app from file.
- Navigate to the ISO image, select the ibm_zlda_insights.spl file, and click Upload.
- If you are prompted to restart Splunk Enterprise server, restart it.
Verify that the application is shown in the list of apps and add-ons.
The application is also in the following directory on the Splunk Enterprise server:
Install the Splunk IT Service Intelligence (ITSI) content pack for IBM Z Operational Log and Data Analytics.
For more information, see Installing the Splunk ITSI content pack for IBM Z Operational Log and Data Analytics.
If you expand an event, you can see the individual fields for which extraction rules are set.
index=zos-syslog-console sysplex=PRODPLEX jobname=CICS35 sourcetype=zOS-SYSLOG-Console
- z/OS SYSLOG
- RMF III
- CICS® EYULOG
- CICS MSGUSR
- WebSphere® SYSOUT
- WebSphere SYSPRINT
- USS Syslogd
- NetView® Netlog
Splunk indexers can generally ingest data up to 300 GB per day. Further data volumes require multiple indexers and search heads. See recommendations of Splunk on scaling and capacity planning for more information.
What to do next
If you are using the Splunk HTTP Event Collector (HEC) as the subscriber (as indicated in Subscriber configuration), also complete the steps in Sending data directly to Splunk by using Splunk HEC as the subscriber.