Splunk macros in IBM Z Operational Log and Data Analytics application on the Splunk platform
The Splunk macros that are provided with the IBM Z® Operational Log and Data Analytics application define both the indexes and data source types that are used by the predefined dashboards and searches. The macros include default values, but you can update these values to match local naming schemas.
For information about editing a Splunk macro that is provided by Z Operational Log and Data Analytics, see Editing a Splunk macro that is provided by Z Operational Log and Data Analytics.
_KV
. For example, the following
table illustrates the value of the sourcetype field for each type of Splunk
subscriber.Data stream subscriber | Value of sourcetype field in the subscriber definition |
---|---|
Z Common Data Provider Data Receiver | zOS-SYSLOG-Console |
Splunk HEC | zOS-SYSLOG-Console_KV |
- Splunk HEC with customized field support
- Splunk HEC with customized field support secure
- Splunk HEC
- Splunk HEC secure
To customize the data source type for HEC, use the guidelines in the Subscriber configuration.
By default, the macros search for data that is ingested to Splunk by either the Z Common Data Provider Data Receiver or the Splunk HEC. A search for all data can be useful for a first time install, or when you are migrating from one data ingestion type to another, but the search performance might be degraded. To improve search performance, edit the macro definitions so that they correspond with the protocol (either the Data Receiver or HEC) of your Splunk subscriber.
For more information about the subscribers for each type of source data, see Subscriber configuration.