IBM Operations Analytics for z Systems
New documentation for insights on ElasticStack and Splunk platformsVersion 3 Release 1
IBM
IBM Operations Analytics for z Systems
New documentation for insights on ElasticStack and Splunk platformsVersion 3 Release 1
IBM
ii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Figures
© Copyright IBM Corp. 2014, 2018 iii
iv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Tables
1. Annotated fields from Elasticsearch . . . . xii2. Annotated fields from IBM Common Data
Provider for z Systems . . . . . . . . . xii3. Configuration artifacts that must be defined
in the IBM Common Data Provider for zSystems configuration tool for CICSTransaction Server for z/OS EYULOG andMSGUSR log data . . . . . . . . . . xiii
4. Annotated fields for CICS Transaction Serverfor z/OS EYULOG and MSGUSR log data . . xiii
5. Configuration artifacts that must be defined inthe IBM Common Data Provider for z Systemsconfiguration tool for NetView message data . xv
6. Annotated fields for NetView message data xv7. Configuration artifacts that must be defined
in the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 30 data . . . . . . . . . . . . xvii
8. Annotated fields for SMF record type 30 data xvii9. Configuration artifacts that must be defined
in the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 80 data . . . . . . . . . . . xviii
10. Annotated fields for SMF record type 80 data xix11. SMF80_COMMAND record type: event code
qualifiers for events 8 - 25 . . . . . . . xxii12. SMF80_LOGON record type: event code
qualifiers for event 1 . . . . . . . . . xxii13. SMF80_OMVS_RES_1 and SMF80_OMVS_RES_2
record types: event code qualifiers for events28 - 30 . . . . . . . . . . . . . xxiii
14. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2record types: event code qualifiers for event31 . . . . . . . . . . . . . . . xxiv
15. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2record types: event code qualifiers for event33 . . . . . . . . . . . . . . . xxiv
16. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2record types: event code qualifiers for event34 . . . . . . . . . . . . . . . xxiv
17. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2record types: event code qualifiers for event35 . . . . . . . . . . . . . . . xxiv
18. SMF80_OPERATION record type: event codequalifiers for event 2 . . . . . . . . . xxiv
19. SMF80_OPERATION record type: event codequalifiers for event 3 . . . . . . . . . xxv
20. SMF80_OPERATION record type: event codequalifiers for event 4 . . . . . . . . . xxv
21. SMF80_OPERATION record type: event codequalifiers for event 5 . . . . . . . . . xxvi
22. SMF80_OPERATION record type: event codequalifiers for event 6 . . . . . . . . . xxvi
23. SMF80_OPERATION record type: event codequalifiers for event 7 . . . . . . . . . xxvi
24. SMF80_RESOURCE record type: event codequalifiers for event 2 . . . . . . . . xxvii
25. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 110 monitoring exceptions data . . . xxviii
26. Annotated fields for SMF record type 110monitoring exceptions data. . . . . . . xxix
27. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 110 global transaction manager statisticsdata . . . . . . . . . . . . . . xxxi
28. Annotated fields for SMF record type 110global transaction manager statistics data . . xxxi
29. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 120 data . . . . . . . . . . . xxxiv
30. Annotated fields for SMF record type 120data . . . . . . . . . . . . . . xxxiv
31. Configuration artifacts that must bedefined in the IBM Common DataProvider for z Systems configuration toolfor z/OS SYSLOG data . . . . . . . xxxviii
32. Annotated fields for z/OS SYSLOG data xxxviii33. Configuration artifacts that must be defined in
the IBM Common Data Provider for z Systemsconfiguration tool for syslogd data . . . . . xl
34. Annotated fields for syslogd data . . . . . xli35. Configuration artifacts that must be defined in
the IBM Common Data Provider for z Systemsconfiguration tool for WebSphere ApplicationServer for z/OS HPEL data . . . . . . . xli
36. Annotated fields for WebSphere ApplicationServer for z/OS HPEL data . . . . . . . xlii
37. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for WebSphereApplication Server for z/OS SYSOUT data . xliii
38. Annotated fields for WebSphere ApplicationServer for z/OS SYSOUT data . . . . . . xliv
39. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for WebSphereApplication Server for z/OS SYSPRINT data . xlv
40. Annotated fields for WebSphere ApplicationServer for z/OS SYSPRINT data . . . . . xlv
41. Annotated fields for anomaly interval data xlvi42. Configuration artifacts that must be defined
in the IBM Common Data Provider for zSystems configuration tool for zSecure data . xlviii
43. Annotated fields for data . . . . . . . xlviii
© Copyright IBM Corp. 2014, 2018 v
vi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Contents
Figures . . . . . . . . . . . . . . . iii
Tables . . . . . . . . . . . . . . . v
New documentation for insights onSplunk and Elastic Stack platforms . . ixLogstash filter plugins for splitting and annotatingoperational data on the Elastic Stack platform . . . ixOperational insights . . . . . . . . . . . . x
System insights . . . . . . . . . . . . xDatabase insights . . . . . . . . . . . . xMessaging insights . . . . . . . . . . . xNetwork insights . . . . . . . . . . . . xSecurity insights . . . . . . . . . . . . xiTransaction insights . . . . . . . . . . . xiWeb server insights . . . . . . . . . . . xi
Annotated fields for each type of source data . . . xiCICS EYULOG and MSGUSR log data . . . . xiiiNetView message data . . . . . . . . . xvSMF 30 data . . . . . . . . . . . . . xviSMF 80 data . . . . . . . . . . . . xviiSMF 110 data . . . . . . . . . . . . xxviiSMF 120 data. . . . . . . . . . . . xxxiii
SYSLOG data . . . . . . . . . . . xxxviiisyslogd data . . . . . . . . . . . . . xlWebSphere HPEL data . . . . . . . . . xliWebSphere SYSOUT data . . . . . . . . xliiiWebSphere SYSPRINT data . . . . . . . xlivzAware interval anomaly data . . . . . . xlvizSecure data . . . . . . . . . . . . xlvii
Dashboards . . . . . . . . . . . . . . xlixSample searches . . . . . . . . . . . . xlix
CICS Transaction Server for z/OS searches . . xlixDB2 for z/OS searches . . . . . . . . . . lIMS for z/OS searches . . . . . . . . . . liMQ for z/OS searches . . . . . . . . . . liiNetView for z/OS searches . . . . . . . . liiiSecurity searches: RACF . . . . . . . . . livSecurity searches: zsecure Access Monitor . . . livWebSphere Application Server for z/OS searches lviz/OS network searches . . . . . . . . . lviz/OS system searches . . . . . . . . . lvii
Notices . . . . . . . . . . . . . . . 1Trademarks . . . . . . . . . . . . . . . 3Terms and conditions for product documentation . . 3
© Copyright IBM Corp. 2014, 2018 vii
viii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
New documentation for insights on Splunk and Elastic Stackplatforms
In IBM® Operations Analytics for z Systems V3.1.0 Fix Pack 7????, dashboards andsearches are provided for insights on the Splunk and the Elastic Stack platforms.The Elastic Stack (formerly known as the ELK Stack) is a collection of the popularopen source software tools Elasticsearch, Logstash, and Kibana.
Logstash filter plugins for splitting and annotating operational data onthe Elastic Stack platform
For the Elastic Stack platform, IBM Operations Analytics for z Systems providesLogstash filter plugins for splitting and annotating the operational data recordsfrom IBM Common Data Provider for z Systems.
zsplit filter pluginThis plugin processes batched z/OS records from IBM Common DataProvider for z Systems.
Each batch of z/OS data includes metadata that applies to each record inthe batch. The zsplit filter plugin splits each record and its associatedmetadata into a separate Logstash event for further processing in theLogstash event processing pipeline.
zannotate filter pluginThis plugin runs after a zsplit filter stage to provide annotations forindividual z/OS records from IBM Common Data Provider for z Systems.The plugin processes records based on the type of the source data, and itsupplies more fields and insights within the Logstash event.
The plugin processes only the types of data for which IBM OperationsAnalytics for z Systems provides insights. These types of data are outlinedin “Operational insights” on page x.
Sequence of operational data records in the Logstash pipeline
Within the metadata that applies to each record, IBM Operations Analytics for zSystems adds sequence data to assist in tracking and maintaining the order of dataas it flows through the Logstash event processing pipeline. It adds this sequencedata to the following field in the IBM Common Data Provider for z Systemsmetadata:
InputsequenceA string that includes the following information:v A time stamp that indicates when a packet is received by a data
streamerv Information for sequencing data as the data is processed
The format is YYYYMMddHHmmssSSS:pppppp-nnnnn:rrrrrr-tttttt, where thefollowing variables represent the following values:
YYYYMMddHHmmssSSSThe time stamp.
© Copyright IBM Corp. 2014, 2018 ix
ppppppThe packet count for the data streamer.
nnnnn The packet count for a split packet stream.
rrrrrr The individual record number for the packet.
tttttt The total number of records in the packet.
The data type for this field is text.
Operational insightsIBM Operations Analytics for z Systems can provide IT operational insights formultiple domains of interest, including z/OS® system, databases, messaging,networks, security, transactions, or web servers. IBM Operations Analytics for zSystems provides function for analyzing each unique type of z/OS operations dataand producing associated operational insights.
System insightsIBM Operations Analytics for z Systems provides system insights that are based ondata from the z/OS system.
Sources from which system data is retrieved
Insights are based on z/OS system data from the following sources:v z/OS SYSLOGv System Management Facilities (SMF) record type 30
Database insightsIBM Operations Analytics for z Systems provides database insights that are basedon data from the DB2® for z/OS or IMS for z/OS subsystems.
Sources from which database data is retrieved
Insights are based on DB2 for z/OS or IMS for z/OS data from the z/OS SYSLOG.
Messaging insightsIBM Operations Analytics for z Systems provides messaging insights that are basedon data from the MQ for z/OS subsystem.
Sources from which messaging data is retrieved
Insights are based on MQ for z/OS data from the z/OS SYSLOG.
Network insightsIBM Operations Analytics for z Systems provides network insights that are basedon data from, for example, UNIX System Services, z/OS Communications Server,or the NetView® for z/OS program.
Sources from which network data is retrieved
Insights are based on network data from the following sources:v z/OS SYSLOGv UNIX System Services system log (syslogd)
x Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
v NetView for z/OS program
Security insightsIBM Operations Analytics for z Systems provides security insights that are basedon data from, for example, the Resource Access Control Facility (RACF) or the .
Sources from which security data is retrieved
Insights are based on security data from the following sources:v z/OS SYSLOGv UNIX System Services system log (syslogd)v “zSecure data” on page xlviiv System Management Facilities (SMF) record type 80
Transaction insightsIBM Operations Analytics for z Systems provides transaction insights that arebased on data from the CICS® Transaction Server for z/OS subsystem.
Sources from which transaction data is retrieved
Insights are based on CICS Transaction Server for z/OS data from the followingsources:v z/OS SYSLOGv CICS Transaction Server for z/OS EYULOG and MSGUSR logsv System Management Facilities (SMF) record type 110
Web server insightsIBM Operations Analytics for z Systems provides web server insights that arebased on data from the WebSphere® Application Server for z/OS subsystem.
Sources from which web server data is retrieved
Insights are based on WebSphere Application Server for z/OS data from thefollowing sources:v WebSphere Application Server for z/OS High Performance Extensible Logging
(HPEL)v WebSphere Application Server for z/OS SYSOUT logv WebSphere Application Server for z/OS SYSPRINT logv System Management Facilities (SMF) record type 120
Annotated fields for each type of source dataFor each type of source data, the fields that are annotated by IBM OperationsAnalytics for z Systems are listed and described. These annotations contribute tothe operational insights for the respective domain (such as the z/OS system,databases, messaging, networks, security, transactions, or web servers).
This reference also describes how to enable the generation of the respective data atits source and how to define the data stream in the IBM Common Data Providerfor z Systems configuration tool for IBM Operations Analytics for z Systems.
New documentation for insights on Splunk and Elastic Stack platforms xi
Annotated fields that are common to all types of source data
Table 1 lists the fields from Elasticsearch that are annotated in all types of sourcedata.
Table 2 lists the metadata fields from IBM Common Data Provider for z Systemsthat are annotated in all types of source data.
Table 1. Annotated fields from Elasticsearch
Field Description Data type
_id The Elasticsearch record ID Text
_index The name of the Elasticsearch index that is usedto store source data
Text
_score Set by Elasticsearch but not used by IBMOperations Analytics for z Systems
Notapplicable
_source An array of key-value pairs that are related todata collection
Text
_type Used internally to indicate that the record wasannotated by IBM Operations Analytics for zSystems
Notapplicable
Table 2. Annotated fields from IBM Common Data Provider for z Systems
Field Description Data type
host The network host name Text
message The contents of the original message from IBMCommon Data Provider for z Systems before it isannotated by IBM Operations Analytics for zSystems
Text
path Used internally by IBM Common Data Providerfor z Systems
Notapplicable
port The port number Integer
seq Used internally by IBM Common Data Providerfor z Systems
Notapplicable
sourceType The source type Text
SysplexName The name of the sysplex where the eventoccurred
Text
SystemName The name of the system where the eventoccurred
Text
timestamp The time that IBM Common Data Provider for zSystems recorded the event
Date
timeZone The number of time zones between CoordinatedUniversal Time (UTC) and the system time ofthe system on which the event occurred. Therelative number of time zones east of the UTCtime zone is designated as a positive integer, andthe relative number of time zones west of theUTC time zone is designated as a negativeinteger.
Integer
type Used internally by IBM Operations Analytics forz Systems
Notapplicable
xii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
CICS EYULOG and MSGUSR log dataCICS Transaction Server for z/OS EYULOG and MSGUSR log data includesinformation about the CICSPlex System Manager (SM).v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems”
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 3. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for CICS Transaction Server for z/OS EYULOG and MSGUSRlog data
Configuration artifact Required value
Data Stream For MSGUSR data, one or more of thefollowing values:
v CICS User Messages, with the default dateformat MDY
v CICS User Messages YMD, with the dateformat YMD
v CICS User Messages DMY, with the dateformat DMY
For EYULOG data, one or more of thefollowing values:
v CICS EYULOG, with the default date formatMDY
v CICS EYULOG YMD, with the date format YMD
v CICS EYULOG DMY, with the date format DMY
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the check boxfor the respective data stream.
Transcribe Transform UTF-8
Split Transform ????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 4. Annotated fields for CICS Transaction Server for z/OS EYULOG and MSGUSR logdata
Field Description Data type
ApplID The application identifier Text
Component The component identifier, which shows thedomain or component that issues the message
Text
New documentation for insights on Splunk and Elastic Stack platforms xiii
Table 4. Annotated fields for CICS Transaction Server for z/OS EYULOG and MSGUSR logdata (continued)
Field Description Data type
MessageID The message identifier
Also, see “Message IDs.”
Text
MessagePrefix The first 3 characters of the message identifier. Ifno value is detected for MessageID, MessagePrefixhas no value.
Text
MessageText The message text Text
MessageType The one-character message type that is specifiedin the MessageID value. Valid values are A, I, E,W, D or S.
If no value is detected for MessageID, or if theMessageID value does not contain a messagetype, MessageType has no value.
Text
SubsystemID The identifier of the software product orsubsystem that generated the message.
Text
Message IDs
A string is detected as a message ID if it matches one of the following formats:DFHnnDFHnntDFHnnnDFHnnntDFHnnnnDFHnnnntDFHaannDFHaanntDFHaannnDFHaannntDFHaannnnDFHaannnntEYUnnEYUnntEYUnnnEYUnnntEYUnnnnEYUnnnntEYUaannEYUaanntEYUaannnEYUaannntEYUaannnnEYUaannnnt
where:v a represents an uppercase alphabetic character (A - Z).v n represents a numeric character (0 - 9).v t represents a type character (A, I, E, W, D, S, or U).
Sometimes, a string that is not a message ID, but matches one of the precedingformats, might show in the MessageID field.
xiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
NetView message dataNetView message data includes network data from the IBM Tivoli NetView forz/OS program.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems”
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 5. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for NetView message data
Configuration artifact Required value
Data Stream NetView NetlogTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the NetViewNetlog check box.
Transcribe Transform UTF-8
Split Transform ????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 6. Annotated fields for NetView message data
Field Description Data type
Domain The NetView domain Text
HDRMTYPE The NetView message type Text
MessageID The message identifier
Also, see “Message IDs” on page xvi.
Text
MessagePrefix The first 3 characters of the message identifier. Ifno value is detected for MessageID, MessagePrefixhas no value.
Text
MessageText The message text. If a value is detected forMessageID, MessageText contains the MessageIDalso.
Text
MessageType The 1-character message type that is specified inthe MessageID value. Valid values are A, D, E, I,S, U, or W.
If no value is detected for MessageID, or if theMessageID value does not contain a messagetype, MessageType has no value.
Text
OperatorID The NetView operator ID Text
SubsystemID The identifier of the software product orsubsystem that generated the message.
Text
New documentation for insights on Splunk and Elastic Stack platforms xv
Message IDs
A string is detected as a message ID if it matches one of the following formats:aaannnaaannntaaaannnaaaannntaaaaannnaaaaannntaaannnnaaannnntaaaannnnaaaannnntaaaaannnnaaaaannnntaaannnnnaaannnnntaaaannnnnaaaannnnntaaaaannnnnaaaaannnnnt
where:v a represents an uppercase alphabetic character (A - Z).
The string can have 3 to 5 uppercase alphabetic characters but only the first 3characters are considered the message prefix.
v n represents a numeric character (0 - 9).v t represents a type character (A, D, E, I, S, U, or W).
Sometimes, a string that is not a message ID, but matches one of the precedingformats, might show in the MessageID field.
SMF 30 dataSystem Management Facilities (SMF) record type 30 data is job performance data(based on accounting data) for z/OS software.v “SMF 30 data generation”v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xviiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xvii
SMF 30 data generation
To enable the generation of SMF record type 30 data, you must include the SMF 30record type in the single SMF log stream that the IBM Common Data Provider forz Systems System Data Engine processes.
xvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
For prerequisite requirements for defining SMF data streams, see .
Table 7. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 30 data
Configuration artifact Required value
Data Stream SMF30To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >z/OS, and select the SMF30 check box.
Transcribe Transform UTF-8
Split Transform CRLF Split
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 8. Annotated fields for SMF record type 30 data
Field Description Data type
CPU The CPU usage for the monitored task Double
IORate The I/O rate for the monitored task Double
JobName The 8-character name of the job on the z/OSsystem
Text
PagingRate The paging rate for the monitored task Double
ProgName The name of the program that is running underthe monitored task
Text
RecordType The type of SMF record Text
SystemID The system identifier Text
Task The job name for the task that issued themessage
Text
WorkingSet The working set size for the monitored task Double
SMF 80 dataSystem Management Facilities (SMF) record type 80 data is produced duringResource Access Control Facility (RACF) processing.v “SMF 80 data generation” on page xviiiv “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xviiiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xix
New documentation for insights on Splunk and Elastic Stack platforms xvii
SMF 80 data generation
To enable the generation of SMF record type 80 data, you must include the SMF 80record type in the single SMF log stream that the IBM Common Data Provider forz Systems System Data Engine processes. RACF must also be installed, active, andconfigured to protect resources.
For information about the subset of SMF record type 80 data that the System DataEngine collects, see “SMF type 80-related records that the System Data Enginecreates” on page xxi.
SMF also records information that is gathered by RACF auditing. By using variousRACF options, you can regulate the granularity of SMF record type 80 data that iscollected. In the IBM Knowledge Center, see the following information from thez/OS documentation:v Information about the following options of the SETROPTS LOGOPTIONS
command, through which you can control auditing:– DIRSRCH
– DIRACC
– FSOBJ
– FSSEC
v Examples for setting audit controls by using SETROPTS
Before you enable RACF log options, consider the impact in your environment. Forexample, enabling RACF log options can result in the following consequences:v An increase in the amount of disk space that is used for loggingv An increase in the network activity that is required to transmit SMF data
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
For prerequisite requirements for defining SMF data streams, see .
Table 9. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 80 data
Configuration artifact Required value
Data Stream One of the following values:
v SMF80_COMMAND
v SMF80_LOGON
v SMF80_OMVS_RES_1
v SMF80_OMVS_RES_2
v SMF80_OMVS_SEC_1
v SMF80_OMVS_SEC_2
v SMF80_OPERATION
v SMF80_RESOURCE
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >Security, and select the check box for therespective data stream.
Transcribe Transform UTF-8
xviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 9. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 80 data (continued)
Configuration artifact Required value
Split Transform CRLF Split
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
In the following table, the column that is titled “Corresponding SMF field”indicates the name of the SMF field that corresponds to the field name in theannotation.
Table 10. Annotated fields for SMF record type 80 data
Field DescriptionCorrespondingSMF field Data type
AccessAllow Access authority allowed SMF80DTA Text
AccessReq Access authority requested SMF80DTA Text
AccessType Setting that is used in granting access. Thefollowing values are possible:
v None
v Owner
v Group
v Other
SMF80DA2 Text
Application Application name that is specified on theRACROUTE request
SMF80DTA Text
AuditDesc Descriptive name of the operation that isaudited
SMF80DA2 Text
AuditName Name of the operation that is audited SMF80DA2 Text
Auditor AUDITOR attribute (Y/N) SMF80ATH Text
AuditorExec Auditor execute/search audit options SMF80DA2 Text
AuditorRead Auditor read access audit options SMF80DA2 Text
AuditorUserExec User execute/search audit options SMF80DA2 Text
AuditorUserRead User read access audit options SMF80DA2 Text
AuditorUserWrite User write access audit options SMF80DA2 Text
AuditorWrite Auditor write access audit options SMF80DA2 Text
AuthorityFlags Flags that indicate the authority checks thatare made for the user who requested theaction
SMF80ATH Text
CHOWNGroupID z/OS UNIX group identifier (GID) inputparameter
SMF80DA2 Text
CHOWNUserID z/OS UNIX user identifier (UID) inputparameter
SMF80DA2 Text
Class The class entries that are supplied by IBMin the class descriptor table (ICHRRCDX)
SMF80DTA Text
Command A string that is derived by using theSMF80EVT and SMF80EVQ values
SMF80EVT,SMF80EVQ
Text
EffectiveGroup User's effective GID setting SMF80DA2 Text
EffectiveUser User's effective UID setting SMF80DA2 Text
New documentation for insights on Splunk and Elastic Stack platforms xix
Table 10. Annotated fields for SMF record type 80 data (continued)
Field DescriptionCorrespondingSMF field Data type
Event Short description of the event code andqualifier
SMF80EVT,SMF80EVQ
Text
EventCode Event code SMF80EVT Text
EventDate Date that the event occurred SMF80DTE Text
EventDesc Verbose description of the event code andqualifier
SMF80EVT Text
EventQual Event code qualifier SMF80EVQ Text
Failed Event code qualifier is nonzero, whichindicates a failed request (Y/N)
SMF80EVQ Text
Filename File name of the file that is being checked SMF80DA2 Text
FileOwnerGroup File owner's GID SMF80DA2 Text
FileOwnerUser File owner's UID SMF80DA2 Text
Generic Generic profile used (Y/N) SMF80DTP Text
GroupExec Group permissions bit: execute SMF80DA2 Text
GroupRead Group permissions bit: read SMF80DA2 Text
GroupWrite Group permissions bit: write SMF80DA2 Text
ISGID Requested file mode: S_ISGID bit SMF80DA2 Text
ISUID Requested file mode: S_ISUID bit SMF80DA2 Text
ISVTX Requested file mode: S_ISVTX bit SMF80DA2 Text
OtherExec Other permissions bit: execute SMF80DA2 Text
OtherRead Other permissions bit: read SMF80DA2 Text
OtherWrite Other permissions bit: write SMF80DA2 Text
OwnerExec Owner permissions bit: execute SMF80DA2 Text
OwnerRead Owner permissions bit: read SMF80DA2 Text
OwnerWrite Owner permissions bit: write SMF80DA2 Text
Pathname Full path name of the file that is beingchecked
SMF80DA2 Text
ProfileName Name of the Resource Access ControlFacility (RACF) profile that is used toaccess the resource
SMF80DTA Text
RealGroup User's real GID setting SMF80DA2 Text
RealUser User's real UID setting SMF80DA2 Text
RecordType Internal record type. The following valuesare possible:
v SMF80_COMMAND
v SMF80_LOGON
v SMF80_OMVS_RES_1
v SMF80_OMVS_RES_2
v SMF80_OMVS_SEC_1
v SMF80_OMVS_SEC_2
v SMF80_OPERATION
v SMF80_RESOURCE
For information about these values, see theIBM Common Data Provider for z Systemsdocumentation in the IBM KnowledgeCenter.
Set by the dataprovider
Text
ResourceName Resource name SMF80DTA Text
SavedGroup User's saved GID setting SMF80DA2 Text
xx Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 10. Annotated fields for SMF record type 80 data (continued)
Field DescriptionCorrespondingSMF field Data type
SavedUser User's saved UID setting SMF80DA2 Text
Special SPECIAL attribute (Y/N) SMF80ATH Text
SuperUser z/OS UNIX superuser (Y/N) SMF80AU2 Text
SystemID The system identifier from the SIDparameter in the SMFPRMnn member
SMF80SID Text
TermID Terminal ID of the foreground user (zero ifnot available)
SMF80TRM Text
UserID Identifier of the user that is associated withthis event. The value of JobName is used ifthe user is not defined to RACF.
SMF80USR Text
SMF type 80-related records that the System Data Engine createsThe IBM Common Data Provider for z Systems System Data Engine collects asubset of the SMF data that is generated by the Resource Access Control Facility(RACF). This reference describes the types of records that the System Data Enginecreates as it extracts relevant data from SMF type 80 records.
The System Data Engine creates the following record types:v SMF80_COMMAND
v SMF80_LOGON
v SMF80_OMVS_RES_1
v SMF80_OMVS_RES_2
v SMF80_OMVS_SEC_1
v SMF80_OMVS_SEC_2
v SMF80_OPERATION
v SMF80_RESOURCE
From each SMF type 80 record that it collects, the System Data Engine uses thefollowing information to determine what data to extract:v SMF event in the SMF80EVT fieldv RACF event code qualifier in the SMF80EVQ field
The System Data Engine excludes SMF events that occur for hierarchical storagemanagement (HSM), for example, events where the value of the user ID SMF80USRis HSM.
For more information about SMF record type 80 records, see the following topicsfrom the z/OS documentation in the IBM Knowledge Center:v SMF record type 80: RACF processing recordv Format of SMF record type 80 recordsv SMF record type 80 event codes and event code qualifiers
SMF80_COMMAND record typeSMF record type 80 records for events 8 - 25 are created when RACF commandsfail because the user who ran them does not have sufficient authority. Relevantfields from these SMF event records are stored in the SMF80_COMMAND records thatare created by the System Data Engine.
New documentation for insights on Splunk and Elastic Stack platforms xxi
Table 11 describes the event code qualifiers for events 8 - 25, which provide moreinformation about why the command failed.
Table 11. SMF80_COMMAND record type: event code qualifiers for events 8 - 25
Event code qualifier Description
1 Insufficient authority
2 Keyword violations detected
3 Successful listing of data sets
4 System error in listing of data sets
SMF80_LOGON record typeSMF record type 80 records for event 1 are created when RACF authentication failsbecause of incorrect user credentials, which prevents the user from accessing thesystem. Relevant fields from this SMF event record are stored in the SMF80_LOGONrecords that are created by the System Data Engine.
Table 12 describes the event code qualifiers for event 1, which provide moreinformation about why the logon failed.
Table 12. SMF80_LOGON record type: event code qualifiers for event 1
Event code qualifier Description
1 Invalid password
2 Invalid group
3 Invalid object identifier (OID) card
4 Invalid terminal/console
5 Invalid application
6 Revoked user ID attempting access
7 User ID automatically revoked
9 Undefined user ID
10 Insufficient security label authority
11 Not authorized to security label
14 System now requires more authority
15 Remote job entry—job not authorized
16 Surrogate class is inactive
17 Submitter is not authorized by user
18 Submitter is not authorized to security label
19 User is not authorized to job
20 Warning—insufficient security labelauthority
21 Warning—security label missing from job,user, or profile
22 Warning—not authorized to security label
23 Security labels not compatible
24 Warning—security labels not compatible
25 Current password has expired
26 Invalid new password
xxii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 12. SMF80_LOGON record type: event code qualifiers for event 1 (continued)
Event code qualifier Description
27 Verification failed by installation
28 Group access has been revoked
29 Object identifier (OID) card is required
30 Network job entry—job not authorized
31 Warning—unknown user from trusted nodepropagated
32 Successful initiation using PassTicket
33 Attempted replay of PassTicket
34 Client security label not equivalent toservers
35 User automatically revoked due to inactivity
36 Passphrase is not valid
37 New passphrase is not valid
38 Current passphrase has expired
39 No RACF user ID found for distributedidentity
SMF80_OMVS_RES record typesSMF record type 80 records for events 28 - 30 are created when the following z/OSUNIX operations occur: directory search, check access to directory, or check accessto file. Relevant fields from these SMF event records are stored in theSMF80_OMVS_RES_1 and SMF80_OMVS_RES_2 records that are created by the SystemData Engine.
Table 13 describes the event code qualifiers for events 28 - 30, which provide moreinformation about the operation results.
Table 13. SMF80_OMVS_RES_1 and SMF80_OMVS_RES_2 record types: event code qualifiers forevents 28 - 30
Event code qualifier Description
0 Access allowed
1 Not authorized to search directory
2 Security label failure
SMF80_OMVS_SEC record typesSMF record type 80 records for events 31 and 33 - 35 are created when the z/OSUNIX commands CHAUDIT, CHMOD, or CHOWN are entered, or when the SETID bits fora file are cleared. Relevant fields from these SMF event records are stored in theSMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 records that are created by the SystemData Engine.
Table 14 on page xxiv, Table 15 on page xxiv, Table 16 on page xxiv, and Table 17 onpage xxiv describe the event code qualifiers for events 31 and 33 - 35, whichprovide more information about the operation results.
New documentation for insights on Splunk and Elastic Stack platforms xxiii
Table 14. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 record types: event code qualifiers forevent 31
Event code qualifier Description
0 File's audit options changed
1 Caller does not have authority to changeuser audit options of specified file
2 Caller does not have authority to changeauditor audit options
3 Security label failure
Table 15. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 record types: event code qualifiers forevent 33
Event code qualifier Description
0 File's mode changed
1 Caller does not have authority to changemode of specified file
2 Security label failure
Table 16. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 record types: event code qualifiers forevent 34
Event code qualifier Description
0 File's owner or group owner changed
1 Caller does not have authority to changeowner or group owner of specified file
2 Security label failure
Table 17. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 record types: event code qualifiers forevent 35
Event code qualifier Description
0 S_ISUID, S_ISGID, and S_ISVTX bits changedto zero (write).
SMF80_OPERATION record typeSMF record type 80 records for events 2 - 7 are created when a z/OS resource thatis protected by RACF is updated, deleted, or accessed by a user that is defined toRACF with the SPECIAL attribute. Relevant fields from these SMF event records arestored in the SMF80_OPERATION records that are created by the System Data Engine.
Table 18, Table 19 on page xxv, Table 20 on page xxv, Table 21 on page xxvi,Table 22 on page xxvi, and Table 23 on page xxvi describe the event code qualifiersfor events 2 - 7, which provide more information about the operation results.
Table 18. SMF80_OPERATION record type: event code qualifiers for event 2
Event code qualifier Description
0 Successful access
1 Insufficient authority
2 Profile not found—RACFIND specified onmacro
xxiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 18. SMF80_OPERATION record type: event code qualifiers for event 2 (continued)
Event code qualifier Description
3 Access permitted due to warning
4 Failed due to PROTECTALL SETROPTS
5 Warning issued due to PROTECTALLSETROPTS
6 Insufficient category/SECLEVEL
7 Insufficient security label authority
8 Security label missing from job, user, orprofile
9 Warning—insufficient security labelauthority
10 Warning—data set not cataloged
11 Data set not cataloged
12 Profile not found—required for authoritychecking
13 Warning—insufficient category/SECLEVEL
14 Warning—non-main execution environment
15 Conditional access allowed via basic modeprogram
Table 19. SMF80_OPERATION record type: event code qualifiers for event 3
Event code qualifier Description
0 Successful processing of new volume
1 Insufficient authority
2 Insufficient security label authority
3 Less specific profile exists with differentsecurity label
Table 20. SMF80_OPERATION record type: event code qualifiers for event 4
Event code qualifier Description
0 Successful rename
1 Invalid group
2 User not in group
3 Insufficient authority
4 Resource name already defined
5 User not defined to RACF
6 Resource not protected SETROPTS
7 Warning——resource not protectedSETROPTS
8 User in second qualifier is not RACF defined
9 Less specific profile exists with differentsecurity label
10 Insufficient security label authority
11 Resource not protected by security label
New documentation for insights on Splunk and Elastic Stack platforms xxv
Table 20. SMF80_OPERATION record type: event code qualifiers for event 4 (continued)
Event code qualifier Description
12 New name not protected by security label
13 New security label must dominate oldsecurity label
14 Insufficient security label authority
15 Warning—resource not protected by securitylabel
16 Warning—new name not protected bysecurity label
17 Warning—new security label must dominateold security label
Table 21. SMF80_OPERATION record type: event code qualifiers for event 5
Event code qualifier Description
0 Successful scratch
1 Resource not found
2 Invalid volume
Table 22. SMF80_OPERATION record type: event code qualifiers for event 6
Event code qualifier Description
0 Successful deletion
Table 23. SMF80_OPERATION record type: event code qualifiers for event 7
Event code qualifier Description
0 Successful definition
1 Group undefined
2 User not in group
3 Insufficient authority
4 Resource name already defined
5 User not defined to RACF
6 Resource not protected
7 Warning—resource not protected
8 Warning—security label missing from job,user, or profile
9 Insufficient security label authority
10 User in second qualifier in not defined toRACF
11 Insufficient security label authority
12 Less specific profile exists with a differentsecurity label
xxvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
SMF80_RESOURCE record typeSMF record type 80 records for event 2 are created when a z/OS resource that isprotected by RACF is updated, deleted, or accessed by a user. Relevant fields fromthese SMF event records are stored in the SMF80_RESOURCE records that are createdby the System Data Engine.
Table 24 describes the event code qualifiers for event 2, which provide moreinformation about the operation results.
Table 24. SMF80_RESOURCE record type: event code qualifiers for event 2
Event code qualifier Description
0 Successful access
1 Insufficient authority
2 Profile not found—RACFIND specified onmacro
3 Access permitted due to warning
4 Failed due to PROTECTALL SETROPTS
5 Warning issued due to PROTECTALLSETROPTS
6 Insufficient category/SECLEVEL
7 Insufficient security label authority
8 Security label missing from job, user, orprofile
9 Warning—insufficient security labelauthority
10 Warning—data set not cataloged
11 Data set not cataloged
12 Profile not found—required for authoritychecking
13 Warning—insufficient category/SECLEVEL
14 Warning—non-main execution environment
15 Conditional access allowed via basic modeprogram
SMF 110 dataSystem Management Facilities (SMF) record type 110 data is generated by CICSTransaction Server for z/OS.v “SMF 110 data generation”v “SMF110_E record type for monitoring exceptions data” on page xxviiiv “SMF110_S_10 for global transaction manager statistics data” on page xxx
SMF 110 data generation
The IBM Common Data Provider for z Systems System Data Engine collects only asubset of the SMF record type 110 data that is generated by CICS TransactionServer for z/OS. It collects the following data from SMF record type 110:v Monitoring exceptions data for CICS Transaction Server for z/OS from SMF type
110 subtype 1 records, with a class where data = 4
New documentation for insights on Splunk and Elastic Stack platforms xxvii
v Global transaction manager statistics data for CICS Transaction Server for z/OSfrom SMF type 110 subtype 2 records, with a class where STID = 10
To enable the generation of SMF record type 110 data, you must include the SMF110 record type in the single SMF log stream that the System Data Engineprocesses. You must also define the following CICS Transaction Server for z/OSinitialization parameters in the SYSIN data set of the CICS startup job stream:STATRCD=ON, Interval statistics recordingSTATINT=001000, Interval definitionMN=ON, Turn monitoring on or offMNEXC=ON, Exceptions monitoringMNRES=ON, Resource monitoring
For more information about enabling the generation of SMF record type 110 data,see Specifying system initialization parameters before startup in the CICSTransaction Server for z/OS Version 5.3 documentation.
The System Data Engine creates the following record types as it extracts therelevant data from SMF type 110 records:v zOS-SMF110_E for monitoring exceptions datav zOS-SMF110_S_10 for global transaction manager statistics data
SMF110_E record type for monitoring exceptions dataSMF110_E records contain information about CICS Transaction Server for z/OSresource shortages that occur during a transaction, such as queuing for file stringsand waiting for temporary storage. This data highlights possible problems in CICSsystem operation. It can help you identify system constraints that affect theperformance of your transactions. CICS writes one exception record for eachexception condition that occurs.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xxix
Data stream definition in the IBM Common Data Provider for z Systemsconfiguration tool
For prerequisite requirements for defining SMF data streams, see .
Table 25. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 110 monitoring exceptions data
Configuration artifact Required value
Data Stream SMF110_ETo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >CICS, and select the SMF110_E check box.
Transcribe Transform UTF-8
Split Transform CRLF Split
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
xxviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Fields that are annotated by IBM Operations Analytics for z Systems
In the following table, the column that is titled “Corresponding SMF field”indicates the name of the SMF field that corresponds to the field name in theannotation.
Table 26. Annotated fields for SMF record type 110 monitoring exceptions data
Field DescriptionCorrespondingSMF field Data type
ApplID The product name (GenericAPPLID)
SMFMNPRN Text
ApplIDSpec The product name (SpecificAPPLID)
SMFMNSPN Text
BridgeTransID The bridge transaction ID EXCMNBTR Text
CICSTrans The transaction identification EXCMNTRN Text
ExceptionEnd The exception stop time EXCMNSTO Text
ExceptionID The exception ID EXCMNRIX Text
ExceptionID2 The extended exception ID EXCMNRIX Text
ExceptionLen The exception resource ID length EXCMNRIL Long
ExceptionNumber The exception sequence number forthe task
EXCMNEXN Text
ExceptionStart The exception start time EXCMNSTA Date
ExceptionType The exception type EXCMNTYP Text
JobName The 8-character name of the job onthe z/OS system
SMFMNJBN Text
LU The real logical unit on the z/OSsystem
EXCMNRLU Text
LUName The logical unit on the z/OS system EXCMNLUN Text
NetID The NETID if a network qualifiedname was received from z/OSCommunications Server. For a z/OSCommunications Server resourcewhere the network qualified namewas not yet received, NETID is eightblanks. In all other cases, this field isnull.
EXCMNNID Text
ProgName The name of the currently runningprogram for the user task when theexception condition occurred
EXCMNCPN Text
RecordType The internal record type, which isSMF110_E
Set by the dataprovider
Text
RecordVersion The record version in CICSTransaction Server for z/OS
SMFMNRVN Text
ReportClass The report class name EXCMNRPT Text
ResourceID The exception resource identification EXCMNRID Text
ResourceType The exception resource type EXCMNRTY Text
ServiceClass The service class name EXCMNSRV Text
SubsystemID The subsystem identification SMFMNSSI Text
New documentation for insights on Splunk and Elastic Stack platforms xxix
Table 26. Annotated fields for SMF record type 110 monitoring exceptions data (continued)
Field DescriptionCorrespondingSMF field Data type
SystemID The system identifier from the SIDparameter in the SMFPRMnn member
SMFMNSID Text
TerminalID The terminal identification EXCMNTER Text
TranClassName The transaction class name EXCMNTCN Text
TransFacName The transaction facility name EXCMNFCN Text
TransFlags The transaction flags. For moreinformation about these flags, seethe description of the 8-byteTRANFLAG field at offset 164 in in theCICS Transaction Server for z/OSVersion 5.3 documentation.
EXCMNTRF Text
TransNum The transaction identificationnumber
EXCMNTNO Text
TransPriority The transaction priority EXCMNTPR Text
UORID Resource management services(RRMS) MVS unit of recoveryidentification
EXCMNURI Text
UOWName The network unit-of-work suffix EXCMNNSX Text
UserID The user identification at taskcreation. This identifier can also bethe remote user identifier for a taskthat is created as the result ofreceiving an ATTACH request across amultiregion operation (MRO) orAdvanced Program-to-ProgramCommunication (APPC) link withattach-time security enabled.
EXCMNUSR Text
zCSName The network unit-of-work prefix EXCMNNPX Text
SMF110_S_10 for global transaction manager statistics dataSMF110_S_10 records contain transactions summary information for CICSTransaction Server for z/OS. This data can give you a more holistic view of theCICS region, including a comparison among the current and peak numbers oftransactions that are running in the region, and the maximum number of allowedtransactions.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xxxiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xxxi
xxx Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Data stream definition in the IBM Common Data Provider for z Systemsconfiguration tool
For prerequisite requirements for defining SMF data streams, see .
Table 27. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 110 global transaction manager statisticsdata
Configuration artifact Required value
Data Stream SMF110_S_10To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >CICS, and select the SMF110_S_10 checkbox.
Transcribe Transform UTF-8
Split Transform CRLF Split
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for z Systems
In the following table, the column that is titled “Corresponding SMF field”indicates the name of the SMF field that corresponds to the field name in theannotation.
Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata
Field DescriptionCorrespondingSMF field Data type
ApplID The product name (GenericAPPLID)
SMFSTPRN Text
AtsMxt An indicator of the limit for thenumber of concurrent tasks
XMGATMXT Text
GmtsLast_TxnAttch The time when the last transactionwas attached
XMGGTAT Date
GmtsMxtReached According to Greenwich mean time(GMT), the time when the task limit(the value of MAXTASKS) was met
XMGGAMXT Text
GmtsMxtSet According to Greenwich mean time(GMT), the time when the task limit(the value of MAXTASKS) was set
XMGGSMXT Long
IntervalDuration For a status type (StatsType) of INT,the interval duration, which isrepresented in the time formatHHMMSS
SMFSTINT Text
LclsLast_TxnAttch The date and time when the lasttransaction was attached
XMGLTAT Long
LclsMxtReached The local time when the task limit(the value of MAXTASKS) was met
XMGLAMXT Text
New documentation for insights on Splunk and Elastic Stack platforms xxxi
Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata (continued)
Field DescriptionCorrespondingSMF field Data type
LclsMxtSet The local time when the task limit(the value of MAXTASKS) was set
XMGLSMXT Long
MAXTASKS The limit for the number ofconcurrent tasks
XMGMXT Long
RecordIncomplete An indicator that is set to YES ifincomplete data is recorded
SMFSTICD Text
RecordType The internal record type, which isSMF110_S_10
Set by the dataprovider
Text
RecordVersion The record version in the followingformat: x’0vrm’
SMFSTRVN Text
StatsArea The status area Set by the dataprovider
Text
StatsType The status type. For example, one ofthe following types:
v EOD
v INT
v REQ
v RRT
v USS
SMFSTRQT Text
SystemID The system identifier from the SIDparameter in the SMFPRMnn member
SMFMNSID Text
TransCount The number of user and systemtransactions that are attached
XMGNUM Double
TransCurrentActiveUserAt the present time, the number ofactive user transactions in thesystem
XMGCAT Long
TransCurrent_QSec At the present time, the number ofseconds that transactions are queuedbecause the task limit (the value ofMAXTASKS) was met
W_CUR_Q_TIME Double
TransPeakActiveUser The highest number of active usertransactions
XMGPAT Long
TransPeakQueued The highest number of queued usertransactions
XMGPQT Long
TransQueuedUser The number of queued usertransactions in the system
XMGCQT Long
TransTimesAtMAXTASKS The number of times that the tasklimit (the value of MAXTASKS) wasmet
XMGTAMXT Long
TransTotalActive For a specified time interval, thenumber of active user transactionsin the system
XMGTAT Long
TransTotalDelayed For a specified time interval, thenumber of user transactions thatwere delayed because the task limit(the value of MAXTASKS) was met
XMGTDT Long
xxxii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata (continued)
Field DescriptionCorrespondingSMF field Data type
TransTotal_QSec For a specified time interval, thenumber of seconds that transactionswere queued because the task limit(the value of MAXTASKS) was met
W_TOT_Q_TIME Double
TransTotalTasks At the time of the last reset, thenumber of transactions in thesystem
XMGTNUM Double
SMF 120 dataSystem Management Facilities (SMF) record type 120 data is generated byWebSphere Application Server for z/OS.v “SMF record type 120 data generation”v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xxxivv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xxxiv
SMF record type 120 data generation
The IBM Common Data Provider for z Systems System Data Engine collects only asubset of the SMF record type 120 data that is generated by WebSphereApplication Server for z/OS. It collects performance data from SMF record type120 subtype 9. The default SMF type 120 subtype 9 record contains information forproperly monitoring the performance of your EJB components and webapplications.
Restriction: This performance data does not include data for the WebSphereLiberty server.
To enable the generation of SMF record type 120 data, you must include the SMF120 record type in the single SMF log stream that the IBM Common Data Providerfor z Systems System Data Engine processes. Also, for each application serverinstance that you want to monitor, you must specify properties for SMF datacollection by setting WebSphere Application Server for z/OS environment variablesfrom the WebSphere Application Server Administrative Console. For moreinformation about enabling the generation of SMF record type 120 data, see Usingthe administrative console to enable properties for specific SMF record types in theWebSphere Application Server for z/OS Version 9.0 documentation.
The System Data Engine creates the following record types as it extracts theperformance data from SMF type 120 subtype 9 records:v SMF120_REQAPPL for WebSphere application recordsv SMF120_REQCONT for WebSphere controller records
The SMF type 120 subtype 9 record contains information about the activity of theWebSphere server and the hosted applications. This record is produced whenever aserver receives a request. When you do capacity planning, consider the costs thatare involved in running requests and the number of requests that you processduring a specific time. You can use the SMF type 120 subtype 9 record to monitor
New documentation for insights on Splunk and Elastic Stack platforms xxxiii
which requests are associated with which applications, the number of requests thatoccur, and the amount of resource that each request uses. You can also use thisrecord to identify the applications that are involved and the amount of CPU timethat the requests use.
As part of planning to collect SMF 120 data, consider the disk space requirementsfor storing the data and the increase in network activity that is required to transmitSMF data.
To reduce any system performance degradation due to data collection and toimprove the usability of the data, the System Data Engine aggregates the SMFactivity records in 1-minute collection intervals by default. Ensure that thecollection interval is an integral factor of the SMF global recording interval, asmeasured in minutes, so that data collection is synchronized. For example, a 1-, 3-,or 5-minute collection interval is an integral factor of a typical 15-minute SMFglobal recording interval, but a 4-minute collection interval is not. The SMF globalrecording interval INTERVAL(nn) is defined in the SMFPRMxx member ofSYS1.PARMLIB (or its equivalent).
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
For prerequisite requirements for defining SMF data streams, see .
Table 29. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 120 data
Configuration artifact Required value
Data Stream One of the following values:
v SMF120_REQAPPL
v SMF120_REQAPPL
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >WAS, and select the check box for therespective data stream.
Transcribe Transform UTF-8
Split Transform CRLF Split
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
In the following table, the column that is titled “Corresponding SMF field”indicates the name of the SMF field that corresponds to the field name in theannotation.
Table 30. Annotated fields for SMF record type 120 data
Field DescriptionCorrespondingSMF field Data type
Application The application name SM1209EO Text
xxxiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 30. Annotated fields for SMF record type 120 data (continued)
Field DescriptionCorrespondingSMF field Data type
ControllerJobname The job name for the controller SM1209BT Text
DeleteServiceCPUActiveCount The count of samples when theenclave delete CPU service time wasnon-zero. Time is accumulated by theenclave as reported by theCPUSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted.
SM1209DN count Long
DispatchCPU The amount of CPU time, inmicroseconds, that is used bydispatch TCB.
SM1209CI Double
EnclaveCPU The amount of CPU time that wasused by the enclave as reported bythe CPUTIME parameter of theIWM4EDEL API.
SM1209DH Double
EnclaveServiceDeleteCPU The enclave delete CPU service thatis accumulated by the enclave asreported by the CPUSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.
SM1209DN Double
RecordType Internal record type. The followingvalues are possible:
v SMF120_REQAPPL, which indicates aWebSphere application record
v SMF120_REQCONT, which indicates aWebSphere controller record
Set by the dataprovider
Text
RequestCount Request count Set by the dataprovider
Long
RequestEnclaveCPU The enclave CPU time at the end ofthe dispatch of this request, asreported by the CPUTIME parameter ofthe IWMEQTME API. The units arein TOD format.
SM1209DA Double
RequestTime The time that the request wasreceived, or the time that theWebSphere application or controllercompleted processing of the requestresponse.
SM1209CM,SM1209CQ
Double
New documentation for insights on Splunk and Elastic Stack platforms xxxv
Table 30. Annotated fields for SMF record type 120 data (continued)
Field DescriptionCorrespondingSMF field Data type
RequestType The type of request that wasprocessed. The following values arepossible:
v HTTP
v HTTPS
v IIOP
v INTERNAL
v MBEAN
v MDB-A
v MDB-B
v MDB-C
v NOTKNOWN
v OTS
v SIP
v SIPS
v UNKNOWN
SM1209CK Text
SpecialtyCPU The amount of CPU time that wasspent on non-standard CPs, such asthe z Systems Application AssistProcessor (zAAP) and z SystemsIntegrated Information Processor(zIIP). This value is obtained fromthe TIMEUSED API.
SM1209CX Double
SpecialtyCPUActiveCount The count of samples when theamount of CPU time that was spenton non-standard CPs, such as thezAAP and zIIP, was non-zero. TheCPU utilization value is obtainedfrom the TIMEUSED API.
SM1209CX count Long
SystemID The system identifier SM120SID Text
zAAPCPUActiveCount The count of samples when thedelete zAAP CPU enclave time wasnon-zero. A value of 0 indicates thatthe enclave was not deleted or notnormalized. This CPU time isobtained from the ZAAPTIME fieldin the IWM4EDEL macro.
SM1209DI count Long
zAAPEligibleCPU The amount of CPU time at the endof the dispatch of this request that isspent on a regular CP that couldhave been run on a zAAP, but thezAAP was not available. This valueis obtained from theZAAPONCPTIME field in theIWMEQTME macro.
SM1209DC Double
zAAPEnclaveCPUNormalized The enclave zAAP CPU time at theend of the dispatch of this request, asreported by the ZAAPTIME parameterof the IWMEQTME API. Thisutilization is adjusted by the zAAPnormalization factor at the end of thedispatch of this request. Thenormalization factor is obtained fromthe ZAAPNFACTOR parameter of theIWMEQTME API.
SM1209DG,SM1209DB
Double
xxxvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 30. Annotated fields for SMF record type 120 data (continued)
Field DescriptionCorrespondingSMF field Data type
zAAPEnclaveDeleteCPU The delete zAAP CPU enclave. Avalue of 0 indicates that the enclavewas not deleted or not normalized.This value is obtained from theZAAPTIME field in the IWM4EDELmacro. This value is normalized bythe enclave delete zAAPnormalization factor as reported bythe ZAAPNFACTOR parameter of theIWM4EDEL API.
SM1209DJ,SM1209DI
Double
zAAPEnclaveServiceDeleteCPU The enclave delete zAAP Service thatis accumulated by the enclave asreported by the ZAAPSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.
SM1209DM Double
zAAPServiceCPUActiveCount The count of samples when theenclave delete zAAP service timewas non-zero. Time is accumulatedby the enclave as reported by theZAAPSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted.
SM1209DM count Long
zIIPCPUActiveCount The count of samples when theenclave delete zIIP time wasnon-zero. Time is accumulated by theenclave as reported by the ZIIPTIMEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.
SM1209DK count Long
zIIPEligibleCPUEnclave The eligible zIIP enclave that is onthe CPU at the end of the dispatch ofthis request. This value is obtainedfrom the ZIIPTIME field in theIWMEQTME macro.
SM1209DF Double
zIIPEnclaveCPU The zIIP enclave that is on the CPUat the end of the dispatch of thisrequest. This value is obtained fromthe ZIIPONCPTIME field in theIWMEQTME macro.
SM1209DD Double
zIIPEnclaveDeleteCPU The enclave delete zIIP time that isaccumulated by the enclave asreported by the ZIIPTIME parameterof the IWM4EDEL API. A value of 0indicates that the enclave was notdeleted.
SM1209DK Double
zIIPEnclaveQualityCPU The zIIP Quality Time enclave thatwas on the CPU at the end of thedispatch of this request. This value isobtained from the ZIIPQUALTIMEfield in the IWMEQTME macro.
SM1209DE Double
zIIPEnclaveServiceDeleteCPU The enclave delete zIIP service that isaccumulated by the enclave asreported by the ZIIPSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted or not normalized.
SM1209DL Double
New documentation for insights on Splunk and Elastic Stack platforms xxxvii
Table 30. Annotated fields for SMF record type 120 data (continued)
Field DescriptionCorrespondingSMF field Data type
zIIPServiceCPUActiveCount The count of samples when theenclave delete zIIP service time wasnon-zero. Time is accumulated by theenclave as reported by theZIIPSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted or not normalized.
SM1209DL count Long
SYSLOG dataz/OS system log (z/OS SYSLOG) data can originate either from the operations log(OPERLOG) or from the z/OS user exits.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems”
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 31. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for z/OS SYSLOG data
Configuration artifact Required value
Data Stream One of the following values:
v z/OS SYSLOG
v z/OS SYSLOG from OPERLOG
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > SystemLogs, and select the check box for therespective data stream.
Transcribe Transform UTF-8
Split Transform v For a z/OS SYSLOG data stream, thetransform value is SYSLOG Splitter.
v For a z/OS SYSLOG from OPERLOG datastream, you do not provide a value for thesplitter.
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 32. Annotated fields for z/OS SYSLOG data
Field Description Data type
ApplID The application identifier Text
ASID The address space identifier Text
CommandPrefix The command prefix Text
xxxviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 32. Annotated fields for z/OS SYSLOG data (continued)
Field Description Data type
Component The component identifier, which shows thedomain or component that issues the message
Text
ConsoleName The console name Text
JobName The 8-character name of the job on the z/OSsystem
Text
MessageFlags A value that provides more descriptiveinformation about the message. The followingvalues are examples:
v “CMD” means that the message is a command.
v “CMDRSP” means that the message is acommand response.
v “NONE” means that no more descriptiveinformation is associated with this message.
Text
MessageID The message identifier.
Also, see “Message IDs.”
Text
MessagePrefix The first 3 characters of the message identifier. Ifno value is detected for MessageID, MessagePrefixhas no value.
Text
MessageText The message text. If a value is detected forMessageID, MessageText contains the MessageIDalso.
Text
MessageType The one-character message type that is specifiedin the MessageID value. Valid values are A, I, E,W, D or S.
If no value is detected for MessageID, or if theMessageID value does not contain a messagetype, MessageType has no value.
Text
RouteCodes The route codes Text
SubsystemID The identifier of the software product orsubsystem that generated the message.
Text
Task The job identifier for the task that issued themessage
Text
UserExitFlags The user exit flags Text
Message IDs
A string is detected as a message ID if it matches one of the following formats:aaxxxnaaxxxntaaxxxxnaaxxxxntaaxxxxxnaaxxxxxntaaxxxxxxnaaxxxxxxnt$HASPnnn$HASPnnnnDFHaannDFHaannnDFHaannnn
New documentation for insights on Splunk and Elastic Stack platforms xxxix
DFHnnDFHnntDFHnnnDFHnnnnEYUaannEYUaannnEYUaannnnEYUnnEYUnntEYUnnnEYUnnnn
where:v a represents an uppercase alphabetic character (A - Z).v n represents a numeric character (0 - 9).v x represents an uppercase alphabetic character or a numeric character.v t represents a type character (A, I, E, W, D, or S). If the first 3 characters of the
message ID are DFH or EYU, U is also a valid type character.
Sometimes, a string that is not a message ID, but matches one of the precedingformats, might show in the MessageID field.
syslogd dataSyslogd data is network data from the UNIX System Services system log (syslogd).The abbreviation syslogd represents the term syslog daemon.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xli
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 33. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for syslogd data
Configuration artifact Required value
Data Stream One or more of the following values:
v USS Syslogd Admin
v USS Syslogd Debug
v USS Syslogd Error
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > SystemLogs, and select the check box for therespective data stream.
Transcribe Transform UTF-8
Split Transform ?????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
xl Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Fields that are annotated by IBM Operations Analytics for zSystems
Table 34. Annotated fields for syslogd data
Field Description Data type
Application The application identifier Text
JobName The job name Text
MessageID The message identifier Text
MessagePrefix The first 3 characters of the message identifier. Ifno value is detected for MessageID, MessagePrefixhas no value.
Text
MessageText The message text Text
MessageType The one-character message type that is specifiedin the MessageID value. Valid values are A, I, E,W, D or S.
If no value is detected for MessageID, or if theMessageID value does not contain a messagetype, MessageType has no value.
Text
processID The process identifier Text
SubsystemID The identifier of the software product orsubsystem that generated the message.
Text
WebSphere HPEL dataWebSphere Application Server for z/OS High Performance Extensible Logging(HPEL) data is log data from an HPEL repository.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xlii
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 35. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS HPEL data
Configuration artifact Required value
Data Stream WebSphere HPELTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the WebSphereHPEL check box.
Transcribe Transform UTF-8
Split Transform ????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
New documentation for insights on Splunk and Elastic Stack platforms xli
Fields that are annotated by IBM Operations Analytics for zSystems
Table 36. Annotated fields for WebSphere Application Server for z/OS HPEL data
Field Description Data type
application The application name that is populated by thegroup data source field
Text
appName The name of the Java™ Platform, EnterpriseEdition (Java EE) application that the log or tracerecord relates to, if any.
Text
className The name of the class that made the call to thelogger. This name might be the name of thesource class that is supplied in the call to thelogger, or it might be an inferred source classname. The name might not be accurate.
Text
exceptionClassName If this record was generated due to an exception,this name is the class name in the top stack traceentry.
Text
exceptionFileName If this record was generated due to an exception,this name is the file name in the top stack traceentry.
Text
exceptionLineNumber If this record was generated due to an exception,this number is the line number in the top stacktrace entry.
Long
exceptionMethodName If this record was generated due to an exception,this name is the method name in the top stacktrace entry.
Text
exceptionPackageName If this record was generated due to an exception,this name is the package name in the top stacktrace entry.
Text
hostname The host name that is populated by the groupdata source field
Text
javaException The first Java exception name that matches thefollowing pattern:
*.*Exception
Text
jobId The identifier of the Job Entry Subsystem (JES)job that created this record
Text
jobName The name of the JES job that created this record Text
level The message level, which is an indication of theseverity of the message
Text
loggerName The name of the logger that created this record Text
message The formatted version of the log record, withvalues substituted for any placeholderparameters. If a value is detected formsgClassifier, message contains the msgClassifieralso.
Text
methodName The name of the method that made the call tothe logger. This name might be the name of thesource method that is supplied in the call to thelogger, or it might be an inferred source methodname. This name might not be accurate.
Text
xlii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 36. Annotated fields for WebSphere Application Server for z/OS HPELdata (continued)
Field Description Data type
middleware The middleware name that is populated by thegroup data source field
Text
msgClassifier The message identifier of the log recordmessage. This message ID is the same regardlessof the locale in which the message is rendered.For non-message records, and for other messagesthat do not begin with a message ID, this field isempty.
Text
sequence The sequence index of the message as generatedby the logger
Long
service The service name that is populated by the groupdata source field
Text
threadID The identifier of the thread on which this requestwas logged. This ID is based on thejava.util.logging representation of the threadID, and is not equivalent to the operating systemrepresentation of the thread ID.
Text
traceBlockAll If this record was generated due to an exception,this is the stack trace. The stack trace iscomputed only for records where a throwableexception is explicitly supplied by the caller.
Text
WebSphere SYSOUT dataWebSphere Application Server for z/OS SYSOUT data is from the SYSOUT job log.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xliv
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 37. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS SYSOUT data
Configuration artifact Required value
Data Stream WebSphere SYSOUTTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the WebSphereSYSOUT check box.
Transcribe Transform UTF-8
Split Transform ?????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
New documentation for insights on Splunk and Elastic Stack platforms xliii
Fields that are annotated by IBM Operations Analytics for zSystems
Table 38. Annotated fields for WebSphere Application Server for z/OS SYSOUT data
Field Description Data type
application The application name that is populated by thegroup data source field
Text
entryNumber Entry number Long
exceptionClassName If this record was generated due to an exception,this name is the class name in the top stack traceentry.
Text
exceptionFileName If this record was generated due to an exception,this name is the file name in the top stack traceentry.
Text
exceptionLineNumber If this record was generated due to an exception,this number is the line number in the top stacktrace entry.
Long
exceptionMethodName If this record was generated due to an exception,this name is the method name in the top stacktrace entry.
Text
exceptionPackageName If this record was generated due to an exception,this name is the package name in the top stacktrace entry.
Text
hostname The host name that is populated by the groupdata source field
Text
javaException The first Java exception name that matches thefollowing pattern:
*.*Exception
Text
message The log message text. If a value is detected formsgClassifier, message contains the msgClassifieralso.
Text
messageTag The message tag that is defined in theclassification file
Text
middleware The middleware name that is populated by thegroup data source field
Text
msgClassifier The log message number Text
processID The process identifier Text
service The service name that is populated by the groupdata source field
Text
threadAddress The thread address Text
threadID An eight-character hexadecimal thread identifier. Text
WebSphere SYSPRINT dataWebSphere Application Server for z/OS SYSPRINT data is from the SYSPRINT joblog.v “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xlvv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xlv
xliv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 39. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS SYSPRINT data
Configuration artifact Required value
Data Stream One or more of the following values:
v WebSphere SYSPRINT
v WebSphere USS Sysprint
To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the check boxfor the respective data stream.
Transcribe Transform UTF-8
Split Transform ?????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 40. Annotated fields for WebSphere Application Server for z/OS SYSPRINT data
Field Description Data type
application The application name that is populated by thegroup data source field
Text
exceptionClassName If this record was generated due to an exception,this name is the class name in the top stack traceentry.
Text
exceptionFileName If this record was generated due to an exception,this name is the file name in the top stack traceentry.
Text
exceptionLineNumber If this record was generated due to an exception,this number is the line number in the top stacktrace entry.
Long
exceptionMethodName If this record was generated due to an exception,this name is the method name in the top stacktrace entry.
Text
exceptionPackageName If this record was generated due to an exception,this name is the package name in the top stacktrace entry.
Text
hostname The host name that is populated by the groupdata source field
Text
javaException The first Java exception name that matches thefollowing pattern:
*.*Exception
Text
message The extended message. If a value is detected formsgClassifier, message contains the msgClassifieralso.
Text
New documentation for insights on Splunk and Elastic Stack platforms xlv
Table 40. Annotated fields for WebSphere Application Server for z/OS SYSPRINTdata (continued)
Field Description Data type
messageTag The message tag that is defined in theclassification file
Text
middleware The middleware name that is populated by thegroup data source field
Text
msgClassifier The extended message number Text
service The service name that is populated by the groupdata source field
Text
sourceID The source identifier Text
threadAddress The hexadecimal thread address Text
zAware interval anomaly dataInterval anomaly data is provided by IBM z Advanced Workload AnalysisReporter (IBM zAware).
Fields that are annotated by IBM Operations Analytics for zSystems
Table 41. Annotated fields for anomaly interval data
Field Description Data type
IntervalAnomaly A double value that indicates the anomaly scorefor the interval. The score is the percentile of thesum of each anomaly score for individualmessage IDs within the interval.
Double
IntervalEndTime The time, based on Coordinated Universal Time(UTC), that indicates the end of an interval forwhich the log messages that are produced areused to generate the anomaly record. The formatis YYYY-MM-DDTHH:mm:ss.sssZ.
Date
IntervalIndex An integer that indicates the sequence number ofthis interval within the specified date. Eachindex represents a 10-minute period.
Long
IntervalStartTime The time, based on UTC, that indicates the startof an interval for which log messages that areproduced are used to generate the anomalyrecord. The format is YYYY-MM-DDTHH:mm:ss.sssZ.
Date
LimitedModelStatus An indication of whether the model that is usedto calculate the anomaly score for this interval isa limited model. The following values are valid:
v YES
v NO
v UNKNOWN
Text
ModelGroupName The name of an analysis group. Each analysisgroup is associated with one or more systemsfrom which the logs are used to create a singlemodel.
Text
xlvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 41. Annotated fields for anomaly interval data (continued)
Field Description Data type
NumMessagesNeverSeenBeforeAn integer that indicates the number of messageIDs that were issued during this analysis intervalfor the first time but were never seen in anyprevious analysis interval or in the currentmodel.
Long
NumMessagesNotInModelFirstReportedAn integer that indicates the number of messageIDs that are not in the model and were issuedduring this analysis interval for the first time.
Long
NumMessagesUnique An integer that indicates the number of uniquemessage IDs that were issued during thisanalysis interval.
Long
SysplexName The sysplex name Text
SystemName The system name Text
timestamp The time, based on UTC, that indicates the endof the interval record. This time is equivalent tothe value for the IntervalEndTime field. Whenyou search for interval anomaly scores that arebased on a time stamp, ensure that you searchfor the end time of the interval record. Theformat is YYYY-MM-DDTHH:mm:ss.sssZ.
Date
zAwareServer The hostname or IP address of the IBM zAdvanced Workload Analysis Reporter (IBMzAware) server from which the interval anomalydata is retrieved.
Text
zSecure datazSecure data is data from the . This data includes information about securityevents.v Data generationv “Data stream definition in the IBM Common Data Provider for z Systems
configuration tool” on page xlviiiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page
xlviii
Data generation
The generates security events that the IBM Common Data Provider for z Systemssends to IBM Operations Analytics for z Systems. These events include thefollowing data:v Successful and unsuccessful attempts to log on to applicationsv Successful and unsuccessful attempts to access system resources, such as data
sets and the z/OS file system (zFS)v Successful and unsuccessful commands that are issued
The Access Monitor generates a data transfer file on the UNIX System Services filesystem. For IBM Operations Analytics for z Systems to use the Access Monitordata, IBM Common Data Provider for z Systems must be configured to read thisdata transfer file from the hierarchical file system (HFS) or the zFS, and send thefile to IBM Operations Analytics for z Systems by using the generic zFS file type.The data source type zOS-zSecure must be defined as the data source name in the
New documentation for insights on Splunk and Elastic Stack platforms xlvii
generic zFS file definition. Also, after the generic zFS file type source is saved, theconfiguration must include a transform to UTF-8.
Data stream definition in the IBM Common Data Provider for zSystems configuration tool
Table 42. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for zSecure data
Configuration artifact Required value
Data Stream Generic ZFS FileTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > GenericFeeds, and select the Generic ZFS File checkbox.
Transcribe Transform UTF-8
Split Transform ?????
Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.
Fields that are annotated by IBM Operations Analytics for zSystems
Table 43. Annotated fields for data
Field Description Data type
AttribOperations A Yes or No indication of whether the Operations flagis set for the user ID.
Text
AttribSpecial A Yes or No indication of whether the Special flag isset for the user ID.
Text
AuthMethod For records with the event type Verify, the indicationof the method that is used for verification. Thefollowing method values are examples:
v none
v password
v passticket
v multifactor passphrase
v started
Text
Class For records with the event type Auth, Define, or Fast,the security class, for example, XFACILIT.
Text
Count The number of events of the specified event type thatoccurred in the time period. The maximum value is a63-bit decimal number.
Number
EventType The event type for this record. The following eventtype values are examples:
v Auth
v Command
v Define
v Fast
v Verify
Text
JobName For records with the event type Verify, the indicationof the job for which authentication was requested, forexample, SSHD1.
Text
xlviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Table 43. Annotated fields for data (continued)
Field Description Data type
ProfileName For records with the event type Command, the profilename that is being used, for example, ’CKF.**’.
Text
ResourceName For records with the event type Auth, Define, or Fast,the name of the resource that is being accessed, forexample, ’CKF.AUDIT’.
Text
Result The return code. For example, a return code of 0indicates a successful result.
Text
SystemID The SMF system ID, for example, I001. Text
UserID The user ID for this record, for example, IBMUSER. Text
DashboardsIBM Operations Analytics for z Systems provides dashboards TBD...
TBD
Sample searchesIBM Operations Analytics for z Systems provides sample searches that can be usedfrom the UI to search operational data. These searches include queries of keyannotated fields that can contribute to operational insights.
The names of all sample searches begin with “IBM zOS” to distinguish theseIBM-provided searches from any custom searches that you create and save.
CICS Transaction Server for z/OS searchesThe name for each CICS Transaction Server for z/OS sample search is shown witha brief description of what the associated query looks for.
IBM zOS CICS Transaction Server Abend or Severe MessagesSearches for CICS Transaction Server messages that have the formatDFHccxxxx, where cc represents a component identifier (such as SM forStorage Manager), and xxxx is either 0001 or 0002 (which indicates anabend or severe error in the specified component).
For example: This sample would search for DFHSM0001 but not for DFH0001.
IBM zOS CICS Action, Decision, or Error MessagesSearches for CICS messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.
The search is based on the CICS message IDs and on an action code of A,D, E, S, or U.
IBM zOS CICS Transaction Server Key MessagesSearches for a set of predefined message numbers to determine whetherany of the messages occurred.
IBM zOS CICS Transaction Server MessagesSearches for CICS Transaction Server messages, which start with the prefixDFH or EYU.
New documentation for insights on Splunk and Elastic Stack platforms xlix
IBM zOS CICS Transaction Server Short on Storage MessagesSearches for CICS Transaction Server for z/OS messages that indicate thata storage shortage occurred.
IBM zOS CICS Transaction Server Start Stop MessagesSearches for CICS Transaction Server for z/OS messages that are written tothe system log while the CICS Transaction Server for z/OS is started orstopped. Messages with the following numbers are examples:v EYUXL0010I
v DFHPA1101
IBM zOS CICS Transaction Server Storage ViolationsSearches for CICS Transaction Server for z/OS messages that indicate thata storage violation occurred.
List of CICS Transaction Server for z/OS searches that are based on SystemManagement Facilities (SMF) data
To obtain results from the following searches, CICS Transaction Server forz/OS must be active and configured to create SMF 110 records. For moreinformation, see “SMF 110 data generation” on page xxvii.
IBM zOS CICS Job PerformanceSearches for records that have a program name of DFHSIP orEYU9XECS.
IBM zOS CICS Transaction Server ExceptionsSearches for CICS Transaction Server for z/OS exceptions thatoccurred.
IBM zOS CICS Transaction Server Policy ExceptionsSearches for CICS Transaction Server for z/OS SMF policy-basedexceptions that occurred.
IBM zOS CICS Transaction Server SummarySearches for CICS Transaction Server for z/OS transactionsummary interval records that occurred.
IBM zOS CICS Transaction Server Summary End-of-DaySearches for CICS Transaction Server for z/OS end-of-daytransaction summary records that occurred.
IBM zOS CICS Transaction Server Task Limit MetSearches for CICS Transaction Server for z/OS transaction recordswhere the number of active user transactions equaled the specifiedmaximum allowed number of user transactions.
IBM zOS CICS Transaction Server Wait on Storage ExceptionsSearches for CICS storage manager messages and CICS TransactionServer for z/OS SMF Wait on Storage exceptions.
DB2 for z/OS searchesThe name for each DB2 for z/OS sample search is shown with a brief descriptionof what the associated query looks for.
IBM zOS DB2 Action, Decision, or Error MessagesSearches for DB2 messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.
l Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
IBM zOS DB2 Data Set MessagesSearches for DB2 messages that indicate any of the following situations:v Failure of a data set definitionv Failure of a data set extendv Impending space shortage
IBM zOS DB2 Data Sharing MessagesSearches for internal resource lock manager (IRLM) messages that wereissued to DB2 and that indicate at least one of the following situations:v The percentage of available lock structure capacity is low.v An error occurred when IRLM used the specified z/OS automatic restart
manager (ARM) function.
IBM zOS DB2 Job PerformanceSearches for records that have a program name of DSNYASCP or DSNADMT0.
IBM zOS DB2 Lock Conflict MessagesSearches for DB2 messages that indicate that a plan was denied an IRLMlock due to a detected deadlock or timeout.
IBM zOS DB2 Log Data Set MessagesSearches for messages that indicate that DB2 log data sets are full, arebecoming full, or could not be allocated.
IBM zOS DB2 Log Frequency MessagesSearches for DB2 messages that indicate that log archives were offloaded orare waiting to be offloaded.
IBM zOS DB2 MessagesSearches for DB2 messages, which start with the prefix DSN.
IBM zOS DB2 Pool Shortage MessagesSearches for DB2 messages that indicate that the amount of storage in thegroup buffer pool (GBP) coupling facility structure that is available forwriting new pages is low or critically low.
IMS for z/OS searchesThe name for each IMS for z/OS sample search is shown with a brief descriptionof what the associated query looks for.
IBM zOS IMS Abend MessagesSearches for messages that indicate abends were detected.
IBM zOS IMS Action, Decision, or Error MessagesSearches for IMS messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.
The search is based on the IMS message IDs and on an action code of A, E,W, or X.
IBM zOS IMS Common Queue Server MessagesSearches for IMS Common Queue Server component messages, which startwith the prefix CQS.
IBM zOS IMS Connect MessagesSearches for IMS Connect component messages, which start with the prefixHWS.
New documentation for insights on Splunk and Elastic Stack platforms li
IBM zOS IMS Database Recovery Control ErrorsSearches for Database Recovery Control component error messages, whichstart with the prefix DSP.
IBM zOS IMS Job PerformanceSearches for records that have a program name of DFSAMVRC0, DFSRRC00, orDXRRLM00.
IBM zOS IMS Locking MessagesSearches for messages that indicate which IMS resources are locked.
IBM zOS IMS Log MessagesSearches for messages that indicate how often IMS logs are rolled.
IBM zOS IMS MessagesSearches for IMS messages, which start with any of the following prefixes:BPE, CQS, CSL, DFS, DSP, DXR, ELX, FRP, HWS, MDA, PCB, PGE, SEG, or SFL
IBM zOS IMS Pool IssuesSearches for messages that indicate IMS pool-related issues.
IBM zOS IMS Resources in Waiting ErrorsSearches for error messages that indicate a resource is waiting on otherresources to become available.
IBM zOS IMS Security ViolationsSearches for error messages that indicate security violations were detected.
IBM zOS IMS Stopped ResourcesSearches for messages that indicate IMS and related components are nolonger running.
IBM zOS IMS Terminal Related MessagesSearches for messages that indicate IMS terminal-related issues, includingterminals that are no longer receiving messages.
MQ for z/OS searchesThe name for each MQ for z/OS sample search is shown with a brief descriptionof what the associated query looks for.
IBM zOS MQ Action, Decision, or Error MessagesSearches for MQ messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.
The search is based on the MQ message IDs and on an action code of A, D,or E .
IBM zOS MQ Buffer Pool ErrorsSearches for error messages that indicate the occurrence of MQ buffer poolerrors.
IBM zOS MQ Channel ErrorsSearches for error messages that indicate the occurrence of MQ channelerrors.
IBM zOS MQ Channel Initiator ErrorsSearches for error messages that indicate the occurrence of MQ channelinitiator errors.
lii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
IBM zOS MQ Interesting Informational MessagesSearches for a set of predefined informational message numbers todetermine whether any of the corresponding messages occurred.
IBM zOS MQ Job PerformanceSearches for records that have a program name of CSQXJST or CSQYASCP.
IBM zOS MQ Key MessagesSearches for a set of predefined message numbers to determine whetherany of the corresponding messages occurred.
IBM zOS MQ Logs Start and Stop MessagesSearches for messages that are related to the starting, stopping, andflushing of the MQ log data sets.
IBM zOS MQ MessagesSearches for MQ messages, which start with the prefix CSQ.
IBM zOS MQ Queue Manager Storage MessagesSearches for messages that indicate whether MQ queue manager requiredmore storage.
IBM zOS MQ Start Stop MessagesSearches for messages that are written to the system log while the MQqueue manager or channel initiator is started or stopped. Messages withthe following numbers are examples:v CSQY000I
v CSQY001I
NetView for z/OS searchesThe name for each NetView for z/OS sample search is shown with a briefdescription of what the associated query looks for.
IBM zOS NetView Action, Decision, or Error MessagesSearches for NetView for z/OS messages that indicate any of the followingsituations:v Immediate action is required.v A decision is required.v An error occurred.
IBM zOS NetView AutomationSearches for a set of predefined NetView for z/OS messages that indicatepossible automation table violations.
IBM zOS NetView Command AuthorizationSearches for a set of predefined NetView for z/OS messages that indicatepossible command authorization table violations.
IBM zOS NetView MessagesSearches for NetView for z/OS messages.
IBM zOS NetView Resource LimitsSearches for a set of predefined NetView for z/OS messages that indicatethat resource limits or storage thresholds might have been exceeded.
IBM zOS NetView Security MessagesSearches for a set of predefined NetView for z/OS messages that indicateinsufficient access authority or security environment violations.
New documentation for insights on Splunk and Elastic Stack platforms liii
Security searches: RACFThe name for each Resource Access Control Facility (RACF) sample search isshown with a brief description of what the associated query looks for.
IBM zOS Security RACF Action, Decision, or Error MessagesSearches for RACF® messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.
IBM zOS Security RACF Insufficient Access MessagesSearches for RACF messages that indicate insufficient access authority.
IBM zOS Security RACF Insufficient Authority MessagesSearches for RACF messages that indicate insufficient authority.
IBM zOS Security RACF Invalid Logon Attempt MessagesSearches for RACF messages that indicate invalid logon attempts.
IBM zOS Security RACF MessagesSearches for RACF messages, which start with either of the followingprefixes:v ICHv IRR
List of RACF searches that are based on System Management Facilities (SMF)data To obtain results from the following searches, RACF must be active and
protecting the resources or commands that are the subject of each search:
IBM zOS Security RACF Accesses of Configuration FilesSearches for any accesses of files with the extension .config.
IBM zOS Security RACF Activity for OperationsSearches for any events that were caused by a user with the RACFOPERATIONS attribute.
IBM zOS Security RACF CHOWN, CHGRP, CHMOD CommandsSearches for occurrences of the UNIX commands CHOWN,CHGRP, and CHMOD that were issued.
IBM zOS Security RACF Data Set Access SuccessesSearches for successful attempts to access data sets.
IBM zOS Security RACF Failed Access AttemptsSearches for unsuccessful attempts to access data sets.
IBM zOS Security RACF Logons and CommandsSearches for logons and commands that were issued from aspecific terminal ID (TermID field). The default value for the TermIDfield is non-blank.
IBM zOS Security RACF SETROPTS Commands IssuedSearches for SETROPTS commands that were issued.
Security searches: zsecure Access MonitorThe name for each sample search for the is shown with a brief description of whatthe associated query looks for.
IBM zOS zSecure Access Monitor All RecordsSearches for all records that are created by the Access Monitor.
liv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
IBM zOS zSecure Access Monitor Authorization Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF AUTH definitionv Have a non-zero return codev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Authorization RecordsSearches for records with the following characteristics:v Are based on the RACF AUTH definitionv Are created by the Access Monitor
IBM zOS zSecure Access Monitor CICS Authorization Nonzero ResultSearches for CICS transaction-related records with a non-zero return codethat are created by the Access Monitor.
IBM zOS zSecure Access Monitor CICS TransactionsSearches for all CICS transaction-related records that are created by theAccess Monitor.
IBM zOS zSecure Access Monitor Command Nonzero ResultSearches for records with the following characteristics:v Are based on the use of the RACF DEFINE command to add or remove a
profile in the RACF databasev Have a non-zero return codev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Command RecordsSearches for records with the following characteristics:v Are based on the use of the RACF DEFINE command to add or remove a
profile in the RACF databasev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Define Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF DEFINE definitionv Have a non-zero return codev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Define RecordsSearches for records with the following characteristics:v Are based on the RACF DEFINE definitionv Are created by the Access Monitor
IBM zOS zSecure Access Monitor Fast Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF FASTAUTH definitionv Have a non-zero return codev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Fast RecordsSearches for records with the following characteristics:v Are based on the RACF FASTAUTH definitionv Are created by the Access Monitor
IBM zOS zSecure Access Monitor Verify Nonzero ResultSearches for records with the following characteristics:
New documentation for insights on Splunk and Elastic Stack platforms lv
v Are based on the RACF VERIFY definitionv Have a non-zero return codev Are created by the Access Monitor
IBM zOS zSecure Access Monitor Verify RecordsSearches for records with the following characteristics:v Are based on the RACF VERIFY definitionv Are created by the Access Monitor
WebSphere Application Server for z/OS searchesThe name for each WebSphere Application Server for z/OS sample search is shownwith a brief description of what the associated query looks for.
IBM zOS WebSphere Error MessagesSearches for WebSphere Application Server for z/OS messages thatindicate an error.
IBM zOS WebSphere ExceptionsSearches for occurrences of Java exceptions in the WebSphere ApplicationLogs.
List of WebSphere Application Server for z/OS searches that are based onSystem Management Facilities (SMF) data
To obtain results from the following searches, WebSphere ApplicationServer for z/OS must be active and configured to create SMF 120 subtype9 records:
IBM zOS WebSphere Activity for All ApplicationsSearches for the requests for processing that are attributed toWebSphere Application Server for z/OS applications.
IBM zOS WebSphere Applications with Nonzero Dispatch TCBSearches for the requests for processing that are attributed toWebSphere Application Server for z/OS applications with nonzerodispatch Task Control Block (TCB) time.
IBM zOS WebSphere Controller Managed JavaBeansSearches for the managed JavaBeans requests that are processed bythe WebSphere Application Server Controller.
IBM zOS WebSphere Controller Requests Non-InternalSearches for the requests for controller processing that are notattributed to internal WebSphere processing.
z/OS network searchesThe name for each z/OS network sample search is shown. These samples look forcommon network errors.
Searches for common network errors
The following z/OS network sample searches are provided:v IBM zOS Network ATTLS Error Messagesv IBM zOS Network CSSMTP Error Messagesv IBM zOS Network Device Error Messagesv IBM zOS Network FTP Error Messagesv IBM zOS Network IKED Error Messages
lvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
v IBM zOS Network IPSEC Error Messagesv IBM zOS Network OMPROUTE Error Messagesv IBM zOS Network PAGENT Error Messagesv IBM zOS Network Storage Error Messagesv IBM zOS Network syslogd FTPD Messagesv IBM zOS Network syslogd Messagesv IBM zOS Network syslogd SSHD Messagesv IBM zOS Network syslogd TELNETD Messagesv IBM zOS Network TCPIP Error Messagesv IBM zOS Network TN3270 Telnet Error Messagesv IBM zOS Network VTAM Connection Error Messagesv IBM zOS Network VTAM CSM Error Messagesv IBM zOS Network VTAM Storage Error Messages
z/OS system searchesThe name for each sample search of the z/OS system is shown with a briefdescription of what the associated query looks for.
IBM zOS Job PerformanceSearches for records that have an assigned program name.
New documentation for insights on Splunk and Elastic Stack platforms lvii
lviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Notices
This information was developed for products and services offered in the US. Thismaterial might be available from IBM in other languages. However, you may berequired to own a copy of the product or product version in that language in orderto access it.
IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US
For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement maynot apply to you.
This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of those
© Copyright IBM Corp. 2014, 2018 1
websites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.
IBM may use or distribute any of the information you provide in any way itbelieves appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:
IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US
Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.
The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.
The performance data and client examples cited are presented for illustrativepurposes only. Actual performance results may vary depending on specificconfigurations and operating conditions.
Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.
Statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to actual people or business enterprises is entirelycoincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sample
2 Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.
TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.
Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.
Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.
UNIX is a registered trademark of The Open Group in the United States and othercountries.
Windows is a trademark of Microsoft Corporation in the United States, othercountries, or both.
Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBMwebsite.
Personal use
You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.
Rights
Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.
Notices 3
IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.
IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
4 Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms
Notices 5
IBM®
Printed in USA