Splunk macros in IBM Z Operational Log and Data Analytics application on the Splunk platform

The Splunk macros that are provided with the IBM Z® Operational Log and Data Analytics application define both the indexes and data source types that are used by the predefined dashboards and searches. The macros include default values, but you can update these values to match local naming schemas.

For information about editing a Splunk macro that is provided by Z Operational Log and Data Analytics, see Editing a Splunk macro that is provided by Z Operational Log and Data Analytics.

As described in Index schema in IBM Z Operational Log and Data Analytics application on the Splunk platform, the default values for indexes are different depending on how the data is streamed to Splunk. The same is true for the default values for source types. The source type of all data that is streamed to a Splunk HEC subscriber is the value of source type, appended with the suffix _KV. For example, the following table illustrates the value of the sourcetype field for each type of Splunk subscriber.
Data stream subscriber Value of sourcetype field in the subscriber definition
Z Common Data Provider Data Receiver zOS-SYSLOG-Console
Splunk HEC zOS-SYSLOG-Console_KV
Important: When you define a data stream in a policy in the Z Common Data Provider Configuration Tool, you can customize the Splunk HEC data source type. However, the customized field is applicable only for a subscriber that is defined with one of the following values for the subscriber protocol:
  • Splunk HEC with customized field support
  • Splunk HEC with customized field support secure
A subscriber that is defined with one of the following values for the subscriber protocol ignores the customized field, which ensures that HEC data is shown for all IBM-provided dashboards and predefined searches:
  • Splunk HEC
  • Splunk HEC secure

To customize the data source type for HEC, use the guidelines in the Subscriber configuration.

By default, the macros search for data that is ingested to Splunk by either the Z Common Data Provider Data Receiver or the Splunk HEC. A search for all data can be useful for a first time install, or when you are migrating from one data ingestion type to another, but the search performance might be degraded. To improve search performance, edit the macro definitions so that they correspond with the protocol (either the Data Receiver or HEC) of your Splunk subscriber.

For more information about the subscribers for each type of source data, see Subscriber configuration.

For information about the available macros for log data and SMF data, including some example macro definitions, see the following topics: