I B M Op e r a ti o n s An a l yti cs f o r z S y s t e m s IBM › support › knowledgecenter ›...

IBM Operations Analytics for z Systems

New documentation for insights on ElasticStack and Splunk platformsVersion 3 Release 1

IBM

ii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Figures

© Copyright IBM Corp. 2014, 2018 iii

iv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Tables

1. Annotated fields from Elasticsearch . . . . xii2. Annotated fields from IBM Common Data

Provider for z Systems . . . . . . . . . xii3. Configuration artifacts that must be defined

in the IBM Common Data Provider for zSystems configuration tool for CICSTransaction Server for z/OS EYULOG andMSGUSR log data . . . . . . . . . . xiii

4. Annotated fields for CICS Transaction Serverfor z/OS EYULOG and MSGUSR log data . . xiii

5. Configuration artifacts that must be defined inthe IBM Common Data Provider for z Systemsconfiguration tool for NetView message data . xv

6. Annotated fields for NetView message data xv7. Configuration artifacts that must be defined

in the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 30 data . . . . . . . . . . . . xvii

8. Annotated fields for SMF record type 30 data xvii9. Configuration artifacts that must be defined

in the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 80 data . . . . . . . . . . . xviii

10. Annotated fields for SMF record type 80 data xix11. SMF80_COMMAND record type: event code

qualifiers for events 8 - 25 . . . . . . . xxii12. SMF80_LOGON record type: event code

qualifiers for event 1 . . . . . . . . . xxii13. SMF80_OMVS_RES_1 and SMF80_OMVS_RES_2

record types: event code qualifiers for events28 - 30 . . . . . . . . . . . . . xxiii

14. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2record types: event code qualifiers for event31 . . . . . . . . . . . . . . . xxiv




18. SMF80_OPERATION record type: event codequalifiers for event 2 . . . . . . . . . xxiv

19. SMF80_OPERATION record type: event codequalifiers for event 3 . . . . . . . . . xxv

20. SMF80_OPERATION record type: event codequalifiers for event 4 . . . . . . . . . xxv

21. SMF80_OPERATION record type: event codequalifiers for event 5 . . . . . . . . . xxvi



24. SMF80_RESOURCE record type: event codequalifiers for event 2 . . . . . . . . xxvii

25. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 110 monitoring exceptions data . . . xxviii

26. Annotated fields for SMF record type 110monitoring exceptions data. . . . . . . xxix

27. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 110 global transaction manager statisticsdata . . . . . . . . . . . . . . xxxi

28. Annotated fields for SMF record type 110global transaction manager statistics data . . xxxi

29. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for SMF recordtype 120 data . . . . . . . . . . . xxxiv

30. Annotated fields for SMF record type 120data . . . . . . . . . . . . . . xxxiv

31. Configuration artifacts that must bedefined in the IBM Common DataProvider for z Systems configuration toolfor z/OS SYSLOG data . . . . . . . xxxviii

32. Annotated fields for z/OS SYSLOG data xxxviii33. Configuration artifacts that must be defined in

the IBM Common Data Provider for z Systemsconfiguration tool for syslogd data . . . . . xl

34. Annotated fields for syslogd data . . . . . xli35. Configuration artifacts that must be defined in

the IBM Common Data Provider for z Systemsconfiguration tool for WebSphere ApplicationServer for z/OS HPEL data . . . . . . . xli

36. Annotated fields for WebSphere ApplicationServer for z/OS HPEL data . . . . . . . xlii

37. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for WebSphereApplication Server for z/OS SYSOUT data . xliii

38. Annotated fields for WebSphere ApplicationServer for z/OS SYSOUT data . . . . . . xliv

39. Configuration artifacts that must be definedin the IBM Common Data Provider for zSystems configuration tool for WebSphereApplication Server for z/OS SYSPRINT data . xlv

40. Annotated fields for WebSphere ApplicationServer for z/OS SYSPRINT data . . . . . xlv

41. Annotated fields for anomaly interval data xlvi42. Configuration artifacts that must be defined

in the IBM Common Data Provider for zSystems configuration tool for zSecure data . xlviii

43. Annotated fields for data . . . . . . . xlviii

© Copyright IBM Corp. 2014, 2018 v

vi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Contents

Figures . . . . . . . . . . . . . . . iii

Tables . . . . . . . . . . . . . . . v

New documentation for insights onSplunk and Elastic Stack platforms . . ixLogstash filter plugins for splitting and annotatingoperational data on the Elastic Stack platform . . . ixOperational insights . . . . . . . . . . . . x

System insights . . . . . . . . . . . . xDatabase insights . . . . . . . . . . . . xMessaging insights . . . . . . . . . . . xNetwork insights . . . . . . . . . . . . xSecurity insights . . . . . . . . . . . . xiTransaction insights . . . . . . . . . . . xiWeb server insights . . . . . . . . . . . xi

Annotated fields for each type of source data . . . xiCICS EYULOG and MSGUSR log data . . . . xiiiNetView message data . . . . . . . . . xvSMF 30 data . . . . . . . . . . . . . xviSMF 80 data . . . . . . . . . . . . xviiSMF 110 data . . . . . . . . . . . . xxviiSMF 120 data. . . . . . . . . . . . xxxiii

SYSLOG data . . . . . . . . . . . xxxviiisyslogd data . . . . . . . . . . . . . xlWebSphere HPEL data . . . . . . . . . xliWebSphere SYSOUT data . . . . . . . . xliiiWebSphere SYSPRINT data . . . . . . . xlivzAware interval anomaly data . . . . . . xlvizSecure data . . . . . . . . . . . . xlvii

Dashboards . . . . . . . . . . . . . . xlixSample searches . . . . . . . . . . . . xlix

CICS Transaction Server for z/OS searches . . xlixDB2 for z/OS searches . . . . . . . . . . lIMS for z/OS searches . . . . . . . . . . liMQ for z/OS searches . . . . . . . . . . liiNetView for z/OS searches . . . . . . . . liiiSecurity searches: RACF . . . . . . . . . livSecurity searches: zsecure Access Monitor . . . livWebSphere Application Server for z/OS searches lviz/OS network searches . . . . . . . . . lviz/OS system searches . . . . . . . . . lvii

Notices . . . . . . . . . . . . . . . 1Trademarks . . . . . . . . . . . . . . . 3Terms and conditions for product documentation . . 3

© Copyright IBM Corp. 2014, 2018 vii

viii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

New documentation for insights on Splunk and Elastic Stackplatforms

In IBM® Operations Analytics for z Systems V3.1.0 Fix Pack 7????, dashboards andsearches are provided for insights on the Splunk and the Elastic Stack platforms.The Elastic Stack (formerly known as the ELK Stack) is a collection of the popularopen source software tools Elasticsearch, Logstash, and Kibana.

Logstash filter plugins for splitting and annotating operational data onthe Elastic Stack platform

For the Elastic Stack platform, IBM Operations Analytics for z Systems providesLogstash filter plugins for splitting and annotating the operational data recordsfrom IBM Common Data Provider for z Systems.

zsplit filter pluginThis plugin processes batched z/OS records from IBM Common DataProvider for z Systems.

Each batch of z/OS data includes metadata that applies to each record inthe batch. The zsplit filter plugin splits each record and its associatedmetadata into a separate Logstash event for further processing in theLogstash event processing pipeline.

zannotate filter pluginThis plugin runs after a zsplit filter stage to provide annotations forindividual z/OS records from IBM Common Data Provider for z Systems.The plugin processes records based on the type of the source data, and itsupplies more fields and insights within the Logstash event.

The plugin processes only the types of data for which IBM OperationsAnalytics for z Systems provides insights. These types of data are outlinedin “Operational insights” on page x.

Sequence of operational data records in the Logstash pipeline

Within the metadata that applies to each record, IBM Operations Analytics for zSystems adds sequence data to assist in tracking and maintaining the order of dataas it flows through the Logstash event processing pipeline. It adds this sequencedata to the following field in the IBM Common Data Provider for z Systemsmetadata:

InputsequenceA string that includes the following information:v A time stamp that indicates when a packet is received by a data

streamerv Information for sequencing data as the data is processed

The format is YYYYMMddHHmmssSSS:pppppp-nnnnn:rrrrrr-tttttt, where thefollowing variables represent the following values:

YYYYMMddHHmmssSSSThe time stamp.

© Copyright IBM Corp. 2014, 2018 ix

ppppppThe packet count for the data streamer.

nnnnn The packet count for a split packet stream.

rrrrrr The individual record number for the packet.

tttttt The total number of records in the packet.

The data type for this field is text.

Operational insightsIBM Operations Analytics for z Systems can provide IT operational insights formultiple domains of interest, including z/OS® system, databases, messaging,networks, security, transactions, or web servers. IBM Operations Analytics for zSystems provides function for analyzing each unique type of z/OS operations dataand producing associated operational insights.

System insightsIBM Operations Analytics for z Systems provides system insights that are based ondata from the z/OS system.

Sources from which system data is retrieved

Insights are based on z/OS system data from the following sources:v z/OS SYSLOGv System Management Facilities (SMF) record type 30

Database insightsIBM Operations Analytics for z Systems provides database insights that are basedon data from the DB2® for z/OS or IMS for z/OS subsystems.

Sources from which database data is retrieved

Insights are based on DB2 for z/OS or IMS for z/OS data from the z/OS SYSLOG.

Messaging insightsIBM Operations Analytics for z Systems provides messaging insights that are basedon data from the MQ for z/OS subsystem.

Sources from which messaging data is retrieved

Insights are based on MQ for z/OS data from the z/OS SYSLOG.

Network insightsIBM Operations Analytics for z Systems provides network insights that are basedon data from, for example, UNIX System Services, z/OS Communications Server,or the NetView® for z/OS program.

Sources from which network data is retrieved

Insights are based on network data from the following sources:v z/OS SYSLOGv UNIX System Services system log (syslogd)

x Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

v NetView for z/OS program

Security insightsIBM Operations Analytics for z Systems provides security insights that are basedon data from, for example, the Resource Access Control Facility (RACF) or the .

Sources from which security data is retrieved

Insights are based on security data from the following sources:v z/OS SYSLOGv UNIX System Services system log (syslogd)v “zSecure data” on page xlviiv System Management Facilities (SMF) record type 80

Transaction insightsIBM Operations Analytics for z Systems provides transaction insights that arebased on data from the CICS® Transaction Server for z/OS subsystem.

Sources from which transaction data is retrieved

Insights are based on CICS Transaction Server for z/OS data from the followingsources:v z/OS SYSLOGv CICS Transaction Server for z/OS EYULOG and MSGUSR logsv System Management Facilities (SMF) record type 110

Web server insightsIBM Operations Analytics for z Systems provides web server insights that arebased on data from the WebSphere® Application Server for z/OS subsystem.

Sources from which web server data is retrieved

Insights are based on WebSphere Application Server for z/OS data from thefollowing sources:v WebSphere Application Server for z/OS High Performance Extensible Logging

(HPEL)v WebSphere Application Server for z/OS SYSOUT logv WebSphere Application Server for z/OS SYSPRINT logv System Management Facilities (SMF) record type 120

Annotated fields for each type of source dataFor each type of source data, the fields that are annotated by IBM OperationsAnalytics for z Systems are listed and described. These annotations contribute tothe operational insights for the respective domain (such as the z/OS system,databases, messaging, networks, security, transactions, or web servers).

This reference also describes how to enable the generation of the respective data atits source and how to define the data stream in the IBM Common Data Providerfor z Systems configuration tool for IBM Operations Analytics for z Systems.

New documentation for insights on Splunk and Elastic Stack platforms xi

Annotated fields that are common to all types of source data

Table 1 lists the fields from Elasticsearch that are annotated in all types of sourcedata.

Table 2 lists the metadata fields from IBM Common Data Provider for z Systemsthat are annotated in all types of source data.

Table 1. Annotated fields from Elasticsearch

Field Description Data type

_id The Elasticsearch record ID Text

_index The name of the Elasticsearch index that is usedto store source data

Text

_score Set by Elasticsearch but not used by IBMOperations Analytics for z Systems

Notapplicable

_source An array of key-value pairs that are related todata collection

Text

_type Used internally to indicate that the record wasannotated by IBM Operations Analytics for zSystems

Notapplicable

Table 2. Annotated fields from IBM Common Data Provider for z Systems


host The network host name Text

message The contents of the original message from IBMCommon Data Provider for z Systems before it isannotated by IBM Operations Analytics for zSystems

Text

path Used internally by IBM Common Data Providerfor z Systems

Notapplicable

port The port number Integer

seq Used internally by IBM Common Data Providerfor z Systems

Notapplicable

sourceType The source type Text

SysplexName The name of the sysplex where the eventoccurred

Text

SystemName The name of the system where the eventoccurred

Text

timestamp The time that IBM Common Data Provider for zSystems recorded the event

Date

timeZone The number of time zones between CoordinatedUniversal Time (UTC) and the system time ofthe system on which the event occurred. Therelative number of time zones east of the UTCtime zone is designated as a positive integer, andthe relative number of time zones west of theUTC time zone is designated as a negativeinteger.

Integer

type Used internally by IBM Operations Analytics forz Systems

Notapplicable

xii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

CICS EYULOG and MSGUSR log dataCICS Transaction Server for z/OS EYULOG and MSGUSR log data includesinformation about the CICSPlex System Manager (SM).v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems”

Data stream definition in the IBM Common Data Provider for zSystems configuration tool

Table 3. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for CICS Transaction Server for z/OS EYULOG and MSGUSRlog data

Configuration artifact Required value

Data Stream For MSGUSR data, one or more of thefollowing values:

v CICS User Messages, with the default dateformat MDY

v CICS User Messages YMD, with the dateformat YMD

v CICS User Messages DMY, with the dateformat DMY

For EYULOG data, one or more of thefollowing values:

v CICS EYULOG, with the default date formatMDY

v CICS EYULOG YMD, with the date format YMD

v CICS EYULOG DMY, with the date format DMY

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the check boxfor the respective data stream.

Transcribe Transform UTF-8

Split Transform ????

Important: In the IBM Common Data Provider for z Systems configuration, do notdefine time filters or regular expression (regex) filters in the IBM OperationsAnalytics for z Systems data stream definitions.

Fields that are annotated by IBM Operations Analytics for zSystems

Table 4. Annotated fields for CICS Transaction Server for z/OS EYULOG and MSGUSR logdata


ApplID The application identifier Text

Component The component identifier, which shows thedomain or component that issues the message

Text

New documentation for insights on Splunk and Elastic Stack platforms xiii

Table 4. Annotated fields for CICS Transaction Server for z/OS EYULOG and MSGUSR logdata (continued)


MessageID The message identifier

Also, see “Message IDs.”

Text

MessagePrefix The first 3 characters of the message identifier. Ifno value is detected for MessageID, MessagePrefixhas no value.

Text

MessageText The message text Text

MessageType The one-character message type that is specifiedin the MessageID value. Valid values are A, I, E,W, D or S.

If no value is detected for MessageID, or if theMessageID value does not contain a messagetype, MessageType has no value.

Text

SubsystemID The identifier of the software product orsubsystem that generated the message.

Text

Message IDs

A string is detected as a message ID if it matches one of the following formats:DFHnnDFHnntDFHnnnDFHnnntDFHnnnnDFHnnnntDFHaannDFHaanntDFHaannnDFHaannntDFHaannnnDFHaannnntEYUnnEYUnntEYUnnnEYUnnntEYUnnnnEYUnnnntEYUaannEYUaanntEYUaannnEYUaannntEYUaannnnEYUaannnnt

where:v a represents an uppercase alphabetic character (A - Z).v n represents a numeric character (0 - 9).v t represents a type character (A, I, E, W, D, S, or U).

Sometimes, a string that is not a message ID, but matches one of the precedingformats, might show in the MessageID field.

xiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

NetView message dataNetView message data includes network data from the IBM Tivoli NetView forz/OS program.v “Data stream definition in the IBM Common Data Provider for z Systems



Table 5. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for NetView message data


Data Stream NetView NetlogTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the NetViewNetlog check box.





Table 6. Annotated fields for NetView message data


Domain The NetView domain Text

HDRMTYPE The NetView message type Text

MessageID The message identifier

Also, see “Message IDs” on page xvi.

Text


Text

MessageText The message text. If a value is detected forMessageID, MessageText contains the MessageIDalso.

Text

MessageType The 1-character message type that is specified inthe MessageID value. Valid values are A, D, E, I,S, U, or W.


Text

OperatorID The NetView operator ID Text


Text

New documentation for insights on Splunk and Elastic Stack platforms xv

Message IDs

A string is detected as a message ID if it matches one of the following formats:aaannnaaannntaaaannnaaaannntaaaaannnaaaaannntaaannnnaaannnntaaaannnnaaaannnntaaaaannnnaaaaannnntaaannnnnaaannnnntaaaannnnnaaaannnnntaaaaannnnnaaaaannnnnt

where:v a represents an uppercase alphabetic character (A - Z).

The string can have 3 to 5 uppercase alphabetic characters but only the first 3characters are considered the message prefix.

v n represents a numeric character (0 - 9).v t represents a type character (A, D, E, I, S, U, or W).


SMF 30 dataSystem Management Facilities (SMF) record type 30 data is job performance data(based on accounting data) for z/OS software.v “SMF 30 data generation”v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xviiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xvii

SMF 30 data generation

To enable the generation of SMF record type 30 data, you must include the SMF 30record type in the single SMF log stream that the IBM Common Data Provider forz Systems System Data Engine processes.

xvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms


For prerequisite requirements for defining SMF data streams, see .

Table 7. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 30 data


Data Stream SMF30To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >z/OS, and select the SMF30 check box.


Split Transform CRLF Split



Table 8. Annotated fields for SMF record type 30 data


CPU The CPU usage for the monitored task Double

IORate The I/O rate for the monitored task Double

JobName The 8-character name of the job on the z/OSsystem

Text

PagingRate The paging rate for the monitored task Double

ProgName The name of the program that is running underthe monitored task

Text

RecordType The type of SMF record Text

SystemID The system identifier Text

Task The job name for the task that issued themessage

Text

WorkingSet The working set size for the monitored task Double

SMF 80 dataSystem Management Facilities (SMF) record type 80 data is produced duringResource Access Control Facility (RACF) processing.v “SMF 80 data generation” on page xviiiv “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xviiiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xix

New documentation for insights on Splunk and Elastic Stack platforms xvii


To enable the generation of SMF record type 80 data, you must include the SMF 80record type in the single SMF log stream that the IBM Common Data Provider forz Systems System Data Engine processes. RACF must also be installed, active, andconfigured to protect resources.

For information about the subset of SMF record type 80 data that the System DataEngine collects, see “SMF type 80-related records that the System Data Enginecreates” on page xxi.

SMF also records information that is gathered by RACF auditing. By using variousRACF options, you can regulate the granularity of SMF record type 80 data that iscollected. In the IBM Knowledge Center, see the following information from thez/OS documentation:v Information about the following options of the SETROPTS LOGOPTIONS

command, through which you can control auditing:– DIRSRCH

– DIRACC

– FSOBJ

– FSSEC

v Examples for setting audit controls by using SETROPTS

Before you enable RACF log options, consider the impact in your environment. Forexample, enabling RACF log options can result in the following consequences:v An increase in the amount of disk space that is used for loggingv An increase in the network activity that is required to transmit SMF data



Table 9. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 80 data


Data Stream One of the following values:

v SMF80_COMMAND

v SMF80_LOGON

v SMF80_OMVS_RES_1

v SMF80_OMVS_RES_2

v SMF80_OMVS_SEC_1

v SMF80_OMVS_SEC_2

v SMF80_OPERATION

v SMF80_RESOURCE

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >Security, and select the check box for therespective data stream.


xviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

http://www.ibm.com/support/knowledgecenter

https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.icha800/ichza8c024.htm

https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.icha800/audexmp.htm

Table 9. Configuration artifacts that must be defined in the IBM Common Data Provider for zSystems configuration tool for SMF record type 80 data (continued)





In the following table, the column that is titled “Corresponding SMF field”indicates the name of the SMF field that corresponds to the field name in theannotation.


Field DescriptionCorrespondingSMF field Data type

AccessAllow Access authority allowed SMF80DTA Text

AccessReq Access authority requested SMF80DTA Text

AccessType Setting that is used in granting access. Thefollowing values are possible:

v None

v Owner

v Group

v Other

SMF80DA2 Text

Application Application name that is specified on theRACROUTE request

SMF80DTA Text

AuditDesc Descriptive name of the operation that isaudited

SMF80DA2 Text

AuditName Name of the operation that is audited SMF80DA2 Text

Auditor AUDITOR attribute (Y/N) SMF80ATH Text

AuditorExec Auditor execute/search audit options SMF80DA2 Text

AuditorRead Auditor read access audit options SMF80DA2 Text

AuditorUserExec User execute/search audit options SMF80DA2 Text

AuditorUserRead User read access audit options SMF80DA2 Text

AuditorUserWrite User write access audit options SMF80DA2 Text

AuditorWrite Auditor write access audit options SMF80DA2 Text

AuthorityFlags Flags that indicate the authority checks thatare made for the user who requested theaction

SMF80ATH Text

CHOWNGroupID z/OS UNIX group identifier (GID) inputparameter

SMF80DA2 Text

CHOWNUserID z/OS UNIX user identifier (UID) inputparameter

SMF80DA2 Text

Class The class entries that are supplied by IBMin the class descriptor table (ICHRRCDX)

SMF80DTA Text

Command A string that is derived by using theSMF80EVT and SMF80EVQ values

SMF80EVT,SMF80EVQ

Text

EffectiveGroup User's effective GID setting SMF80DA2 Text

EffectiveUser User's effective UID setting SMF80DA2 Text

New documentation for insights on Splunk and Elastic Stack platforms xix

Table 10. Annotated fields for SMF record type 80 data (continued)


Event Short description of the event code andqualifier

SMF80EVT,SMF80EVQ

Text

EventCode Event code SMF80EVT Text

EventDate Date that the event occurred SMF80DTE Text

EventDesc Verbose description of the event code andqualifier

SMF80EVT Text

EventQual Event code qualifier SMF80EVQ Text

Failed Event code qualifier is nonzero, whichindicates a failed request (Y/N)

SMF80EVQ Text

Filename File name of the file that is being checked SMF80DA2 Text

FileOwnerGroup File owner's GID SMF80DA2 Text

FileOwnerUser File owner's UID SMF80DA2 Text

Generic Generic profile used (Y/N) SMF80DTP Text

GroupExec Group permissions bit: execute SMF80DA2 Text

GroupRead Group permissions bit: read SMF80DA2 Text

GroupWrite Group permissions bit: write SMF80DA2 Text

ISGID Requested file mode: S_ISGID bit SMF80DA2 Text

ISUID Requested file mode: S_ISUID bit SMF80DA2 Text

ISVTX Requested file mode: S_ISVTX bit SMF80DA2 Text

OtherExec Other permissions bit: execute SMF80DA2 Text

OtherRead Other permissions bit: read SMF80DA2 Text

OtherWrite Other permissions bit: write SMF80DA2 Text

OwnerExec Owner permissions bit: execute SMF80DA2 Text

OwnerRead Owner permissions bit: read SMF80DA2 Text

OwnerWrite Owner permissions bit: write SMF80DA2 Text

Pathname Full path name of the file that is beingchecked

SMF80DA2 Text

ProfileName Name of the Resource Access ControlFacility (RACF) profile that is used toaccess the resource

SMF80DTA Text

RealGroup User's real GID setting SMF80DA2 Text

RealUser User's real UID setting SMF80DA2 Text

RecordType Internal record type. The following valuesare possible:

v SMF80_COMMAND

v SMF80_LOGON

v SMF80_OMVS_RES_1

v SMF80_OMVS_RES_2

v SMF80_OMVS_SEC_1

v SMF80_OMVS_SEC_2

v SMF80_OPERATION

v SMF80_RESOURCE

For information about these values, see theIBM Common Data Provider for z Systemsdocumentation in the IBM KnowledgeCenter.

Set by the dataprovider

Text

ResourceName Resource name SMF80DTA Text

SavedGroup User's saved GID setting SMF80DA2 Text

xx Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms





SavedUser User's saved UID setting SMF80DA2 Text

Special SPECIAL attribute (Y/N) SMF80ATH Text

SuperUser z/OS UNIX superuser (Y/N) SMF80AU2 Text

SystemID The system identifier from the SIDparameter in the SMFPRMnn member

SMF80SID Text

TermID Terminal ID of the foreground user (zero ifnot available)

SMF80TRM Text

UserID Identifier of the user that is associated withthis event. The value of JobName is used ifthe user is not defined to RACF.

SMF80USR Text

SMF type 80-related records that the System Data Engine createsThe IBM Common Data Provider for z Systems System Data Engine collects asubset of the SMF data that is generated by the Resource Access Control Facility(RACF). This reference describes the types of records that the System Data Enginecreates as it extracts relevant data from SMF type 80 records.

The System Data Engine creates the following record types:v SMF80_COMMAND

v SMF80_LOGON

v SMF80_OMVS_RES_1

v SMF80_OMVS_RES_2

v SMF80_OMVS_SEC_1

v SMF80_OMVS_SEC_2

v SMF80_OPERATION

v SMF80_RESOURCE

From each SMF type 80 record that it collects, the System Data Engine uses thefollowing information to determine what data to extract:v SMF event in the SMF80EVT fieldv RACF event code qualifier in the SMF80EVQ field

The System Data Engine excludes SMF events that occur for hierarchical storagemanagement (HSM), for example, events where the value of the user ID SMF80USRis HSM.

For more information about SMF record type 80 records, see the following topicsfrom the z/OS documentation in the IBM Knowledge Center:v SMF record type 80: RACF processing recordv Format of SMF record type 80 recordsv SMF record type 80 event codes and event code qualifiers

SMF80_COMMAND record typeSMF record type 80 records for events 8 - 25 are created when RACF commandsfail because the user who ran them does not have sufficient authority. Relevantfields from these SMF event records are stored in the SMF80_COMMAND records thatare created by the System Data Engine.

New documentation for insights on Splunk and Elastic Stack platforms xxi


https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.icha300/type80.htm

https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.icha300/type80fmt.htm

https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.icha300/eventt.htm

Table 11 describes the event code qualifiers for events 8 - 25, which provide moreinformation about why the command failed.

Table 11. SMF80_COMMAND record type: event code qualifiers for events 8 - 25

Event code qualifier Description

1 Insufficient authority

2 Keyword violations detected

3 Successful listing of data sets

4 System error in listing of data sets

SMF80_LOGON record typeSMF record type 80 records for event 1 are created when RACF authentication failsbecause of incorrect user credentials, which prevents the user from accessing thesystem. Relevant fields from this SMF event record are stored in the SMF80_LOGONrecords that are created by the System Data Engine.

Table 12 describes the event code qualifiers for event 1, which provide moreinformation about why the logon failed.

Table 12. SMF80_LOGON record type: event code qualifiers for event 1


1 Invalid password

2 Invalid group

3 Invalid object identifier (OID) card

4 Invalid terminal/console

5 Invalid application

6 Revoked user ID attempting access

7 User ID automatically revoked

9 Undefined user ID

10 Insufficient security label authority

11 Not authorized to security label

14 System now requires more authority

15 Remote job entry—job not authorized

16 Surrogate class is inactive

17 Submitter is not authorized by user

18 Submitter is not authorized to security label

19 User is not authorized to job

20 Warning—insufficient security labelauthority

21 Warning—security label missing from job,user, or profile

22 Warning—not authorized to security label

23 Security labels not compatible

24 Warning—security labels not compatible

25 Current password has expired

26 Invalid new password

xxii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 12. SMF80_LOGON record type: event code qualifiers for event 1 (continued)


27 Verification failed by installation

28 Group access has been revoked

29 Object identifier (OID) card is required

30 Network job entry—job not authorized

31 Warning—unknown user from trusted nodepropagated

32 Successful initiation using PassTicket

33 Attempted replay of PassTicket

34 Client security label not equivalent toservers

35 User automatically revoked due to inactivity

36 Passphrase is not valid

37 New passphrase is not valid

38 Current passphrase has expired

39 No RACF user ID found for distributedidentity

SMF80_OMVS_RES record typesSMF record type 80 records for events 28 - 30 are created when the following z/OSUNIX operations occur: directory search, check access to directory, or check accessto file. Relevant fields from these SMF event records are stored in theSMF80_OMVS_RES_1 and SMF80_OMVS_RES_2 records that are created by the SystemData Engine.

Table 13 describes the event code qualifiers for events 28 - 30, which provide moreinformation about the operation results.

Table 13. SMF80_OMVS_RES_1 and SMF80_OMVS_RES_2 record types: event code qualifiers forevents 28 - 30


0 Access allowed

1 Not authorized to search directory

2 Security label failure

SMF80_OMVS_SEC record typesSMF record type 80 records for events 31 and 33 - 35 are created when the z/OSUNIX commands CHAUDIT, CHMOD, or CHOWN are entered, or when the SETID bits fora file are cleared. Relevant fields from these SMF event records are stored in theSMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 records that are created by the SystemData Engine.

Table 14 on page xxiv, Table 15 on page xxiv, Table 16 on page xxiv, and Table 17 onpage xxiv describe the event code qualifiers for events 31 and 33 - 35, whichprovide more information about the operation results.

New documentation for insights on Splunk and Elastic Stack platforms xxiii

Table 14. SMF80_OMVS_SEC_1 and SMF80_OMVS_SEC_2 record types: event code qualifiers forevent 31


0 File's audit options changed

1 Caller does not have authority to changeuser audit options of specified file

2 Caller does not have authority to changeauditor audit options




0 File's mode changed

1 Caller does not have authority to changemode of specified file




0 File's owner or group owner changed

1 Caller does not have authority to changeowner or group owner of specified file




0 S_ISUID, S_ISGID, and S_ISVTX bits changedto zero (write).

SMF80_OPERATION record typeSMF record type 80 records for events 2 - 7 are created when a z/OS resource thatis protected by RACF is updated, deleted, or accessed by a user that is defined toRACF with the SPECIAL attribute. Relevant fields from these SMF event records arestored in the SMF80_OPERATION records that are created by the System Data Engine.

Table 18, Table 19 on page xxv, Table 20 on page xxv, Table 21 on page xxvi,Table 22 on page xxvi, and Table 23 on page xxvi describe the event code qualifiersfor events 2 - 7, which provide more information about the operation results.

Table 18. SMF80_OPERATION record type: event code qualifiers for event 2


0 Successful access


2 Profile not found—RACFIND specified onmacro

xxiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 18. SMF80_OPERATION record type: event code qualifiers for event 2 (continued)


3 Access permitted due to warning

4 Failed due to PROTECTALL SETROPTS

5 Warning issued due to PROTECTALLSETROPTS

6 Insufficient category/SECLEVEL


8 Security label missing from job, user, orprofile


10 Warning—data set not cataloged

11 Data set not cataloged

12 Profile not found—required for authoritychecking

13 Warning—insufficient category/SECLEVEL

14 Warning—non-main execution environment

15 Conditional access allowed via basic modeprogram



0 Successful processing of new volume



3 Less specific profile exists with differentsecurity label



0 Successful rename

1 Invalid group

2 User not in group


4 Resource name already defined

5 User not defined to RACF

6 Resource not protected SETROPTS

7 Warning——resource not protectedSETROPTS

8 User in second qualifier is not RACF defined

9 Less specific profile exists with differentsecurity label


11 Resource not protected by security label

New documentation for insights on Splunk and Elastic Stack platforms xxv

Table 20. SMF80_OPERATION record type: event code qualifiers for event 4 (continued)


12 New name not protected by security label

13 New security label must dominate oldsecurity label


15 Warning—resource not protected by securitylabel

16 Warning—new name not protected bysecurity label

17 Warning—new security label must dominateold security label



0 Successful scratch

1 Resource not found

2 Invalid volume



0 Successful deletion



0 Successful definition

1 Group undefined

2 User not in group


4 Resource name already defined

5 User not defined to RACF

6 Resource not protected

7 Warning—resource not protected

8 Warning—security label missing from job,user, or profile


10 User in second qualifier in not defined toRACF


12 Less specific profile exists with a differentsecurity label

xxvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

SMF80_RESOURCE record typeSMF record type 80 records for event 2 are created when a z/OS resource that isprotected by RACF is updated, deleted, or accessed by a user. Relevant fields fromthese SMF event records are stored in the SMF80_RESOURCE records that are createdby the System Data Engine.

Table 24 describes the event code qualifiers for event 2, which provide moreinformation about the operation results.

Table 24. SMF80_RESOURCE record type: event code qualifiers for event 2


0 Successful access


2 Profile not found—RACFIND specified onmacro

3 Access permitted due to warning

4 Failed due to PROTECTALL SETROPTS

5 Warning issued due to PROTECTALLSETROPTS

6 Insufficient category/SECLEVEL


8 Security label missing from job, user, orprofile


10 Warning—data set not cataloged

11 Data set not cataloged

12 Profile not found—required for authoritychecking

13 Warning—insufficient category/SECLEVEL

14 Warning—non-main execution environment

15 Conditional access allowed via basic modeprogram

SMF 110 dataSystem Management Facilities (SMF) record type 110 data is generated by CICSTransaction Server for z/OS.v “SMF 110 data generation”v “SMF110_E record type for monitoring exceptions data” on page xxviiiv “SMF110_S_10 for global transaction manager statistics data” on page xxx


The IBM Common Data Provider for z Systems System Data Engine collects only asubset of the SMF record type 110 data that is generated by CICS TransactionServer for z/OS. It collects the following data from SMF record type 110:v Monitoring exceptions data for CICS Transaction Server for z/OS from SMF type

110 subtype 1 records, with a class where data = 4

New documentation for insights on Splunk and Elastic Stack platforms xxvii

v Global transaction manager statistics data for CICS Transaction Server for z/OSfrom SMF type 110 subtype 2 records, with a class where STID = 10

To enable the generation of SMF record type 110 data, you must include the SMF110 record type in the single SMF log stream that the System Data Engineprocesses. You must also define the following CICS Transaction Server for z/OSinitialization parameters in the SYSIN data set of the CICS startup job stream:STATRCD=ON, Interval statistics recordingSTATINT=001000, Interval definitionMN=ON, Turn monitoring on or offMNEXC=ON, Exceptions monitoringMNRES=ON, Resource monitoring

For more information about enabling the generation of SMF record type 110 data,see Specifying system initialization parameters before startup in the CICSTransaction Server for z/OS Version 5.3 documentation.

The System Data Engine creates the following record types as it extracts therelevant data from SMF type 110 records:v zOS-SMF110_E for monitoring exceptions datav zOS-SMF110_S_10 for global transaction manager statistics data

SMF110_E record type for monitoring exceptions dataSMF110_E records contain information about CICS Transaction Server for z/OSresource shortages that occur during a transaction, such as queuing for file stringsand waiting for temporary storage. This data highlights possible problems in CICSsystem operation. It can help you identify system constraints that affect theperformance of your transactions. CICS writes one exception record for eachexception condition that occurs.v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool”v “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xxix

Data stream definition in the IBM Common Data Provider for z Systemsconfiguration tool


Table 25. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 110 monitoring exceptions data


Data Stream SMF110_ETo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >CICS, and select the SMF110_E check box.




xxviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.3.0/com.ibm.cics.ts.doc/dfha6/topics/dfha602.html

Fields that are annotated by IBM Operations Analytics for z Systems


Table 26. Annotated fields for SMF record type 110 monitoring exceptions data


ApplID The product name (GenericAPPLID)

SMFMNPRN Text

ApplIDSpec The product name (SpecificAPPLID)

SMFMNSPN Text

BridgeTransID The bridge transaction ID EXCMNBTR Text

CICSTrans The transaction identification EXCMNTRN Text

ExceptionEnd The exception stop time EXCMNSTO Text

ExceptionID The exception ID EXCMNRIX Text

ExceptionID2 The extended exception ID EXCMNRIX Text

ExceptionLen The exception resource ID length EXCMNRIL Long

ExceptionNumber The exception sequence number forthe task

EXCMNEXN Text

ExceptionStart The exception start time EXCMNSTA Date

ExceptionType The exception type EXCMNTYP Text

JobName The 8-character name of the job onthe z/OS system

SMFMNJBN Text

LU The real logical unit on the z/OSsystem

EXCMNRLU Text

LUName The logical unit on the z/OS system EXCMNLUN Text

NetID The NETID if a network qualifiedname was received from z/OSCommunications Server. For a z/OSCommunications Server resourcewhere the network qualified namewas not yet received, NETID is eightblanks. In all other cases, this field isnull.

EXCMNNID Text

ProgName The name of the currently runningprogram for the user task when theexception condition occurred

EXCMNCPN Text

RecordType The internal record type, which isSMF110_E


Text

RecordVersion The record version in CICSTransaction Server for z/OS

SMFMNRVN Text

ReportClass The report class name EXCMNRPT Text

ResourceID The exception resource identification EXCMNRID Text

ResourceType The exception resource type EXCMNRTY Text

ServiceClass The service class name EXCMNSRV Text

SubsystemID The subsystem identification SMFMNSSI Text

New documentation for insights on Splunk and Elastic Stack platforms xxix

Table 26. Annotated fields for SMF record type 110 monitoring exceptions data (continued)



SMFMNSID Text

TerminalID The terminal identification EXCMNTER Text

TranClassName The transaction class name EXCMNTCN Text

TransFacName The transaction facility name EXCMNFCN Text

TransFlags The transaction flags. For moreinformation about these flags, seethe description of the 8-byteTRANFLAG field at offset 164 in in theCICS Transaction Server for z/OSVersion 5.3 documentation.

EXCMNTRF Text

TransNum The transaction identificationnumber

EXCMNTNO Text

TransPriority The transaction priority EXCMNTPR Text

UORID Resource management services(RRMS) MVS unit of recoveryidentification

EXCMNURI Text

UOWName The network unit-of-work suffix EXCMNNSX Text

UserID The user identification at taskcreation. This identifier can also bethe remote user identifier for a taskthat is created as the result ofreceiving an ATTACH request across amultiregion operation (MRO) orAdvanced Program-to-ProgramCommunication (APPC) link withattach-time security enabled.

EXCMNUSR Text

zCSName The network unit-of-work prefix EXCMNNPX Text

SMF110_S_10 for global transaction manager statistics dataSMF110_S_10 records contain transactions summary information for CICSTransaction Server for z/OS. This data can give you a more holistic view of theCICS region, including a comparison among the current and peak numbers oftransactions that are running in the region, and the maximum number of allowedtransactions.v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xxxiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xxxi

xxx Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Data stream definition in the IBM Common Data Provider for z Systemsconfiguration tool


Table 27. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 110 global transaction manager statisticsdata


Data Stream SMF110_S_10To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >CICS, and select the SMF110_S_10 checkbox.




Fields that are annotated by IBM Operations Analytics for z Systems


Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata


ApplID The product name (GenericAPPLID)

SMFSTPRN Text

AtsMxt An indicator of the limit for thenumber of concurrent tasks

XMGATMXT Text

GmtsLast_TxnAttch The time when the last transactionwas attached

XMGGTAT Date

GmtsMxtReached According to Greenwich mean time(GMT), the time when the task limit(the value of MAXTASKS) was met

XMGGAMXT Text

GmtsMxtSet According to Greenwich mean time(GMT), the time when the task limit(the value of MAXTASKS) was set

XMGGSMXT Long

IntervalDuration For a status type (StatsType) of INT,the interval duration, which isrepresented in the time formatHHMMSS

SMFSTINT Text

LclsLast_TxnAttch The date and time when the lasttransaction was attached

XMGLTAT Long

LclsMxtReached The local time when the task limit(the value of MAXTASKS) was met

XMGLAMXT Text

New documentation for insights on Splunk and Elastic Stack platforms xxxi

Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata (continued)


LclsMxtSet The local time when the task limit(the value of MAXTASKS) was set

XMGLSMXT Long

MAXTASKS The limit for the number ofconcurrent tasks

XMGMXT Long

RecordIncomplete An indicator that is set to YES ifincomplete data is recorded

SMFSTICD Text

RecordType The internal record type, which isSMF110_S_10


Text

RecordVersion The record version in the followingformat: x’0vrm’

SMFSTRVN Text

StatsArea The status area Set by the dataprovider

Text

StatsType The status type. For example, one ofthe following types:

v EOD

v INT

v REQ

v RRT

v USS

SMFSTRQT Text


SMFMNSID Text

TransCount The number of user and systemtransactions that are attached

XMGNUM Double

TransCurrentActiveUserAt the present time, the number ofactive user transactions in thesystem

XMGCAT Long

TransCurrent_QSec At the present time, the number ofseconds that transactions are queuedbecause the task limit (the value ofMAXTASKS) was met

W_CUR_Q_TIME Double

TransPeakActiveUser The highest number of active usertransactions

XMGPAT Long

TransPeakQueued The highest number of queued usertransactions

XMGPQT Long

TransQueuedUser The number of queued usertransactions in the system

XMGCQT Long

TransTimesAtMAXTASKS The number of times that the tasklimit (the value of MAXTASKS) wasmet

XMGTAMXT Long

TransTotalActive For a specified time interval, thenumber of active user transactionsin the system

XMGTAT Long

TransTotalDelayed For a specified time interval, thenumber of user transactions thatwere delayed because the task limit(the value of MAXTASKS) was met

XMGTDT Long

xxxii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 28. Annotated fields for SMF record type 110 global transaction manager statisticsdata (continued)


TransTotal_QSec For a specified time interval, thenumber of seconds that transactionswere queued because the task limit(the value of MAXTASKS) was met

W_TOT_Q_TIME Double

TransTotalTasks At the time of the last reset, thenumber of transactions in thesystem

XMGTNUM Double

SMF 120 dataSystem Management Facilities (SMF) record type 120 data is generated byWebSphere Application Server for z/OS.v “SMF record type 120 data generation”v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xxxivv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xxxiv

SMF record type 120 data generation

The IBM Common Data Provider for z Systems System Data Engine collects only asubset of the SMF record type 120 data that is generated by WebSphereApplication Server for z/OS. It collects performance data from SMF record type120 subtype 9. The default SMF type 120 subtype 9 record contains information forproperly monitoring the performance of your EJB components and webapplications.

Restriction: This performance data does not include data for the WebSphereLiberty server.

To enable the generation of SMF record type 120 data, you must include the SMF120 record type in the single SMF log stream that the IBM Common Data Providerfor z Systems System Data Engine processes. Also, for each application serverinstance that you want to monitor, you must specify properties for SMF datacollection by setting WebSphere Application Server for z/OS environment variablesfrom the WebSphere Application Server Administrative Console. For moreinformation about enabling the generation of SMF record type 120 data, see Usingthe administrative console to enable properties for specific SMF record types in theWebSphere Application Server for z/OS Version 9.0 documentation.

The System Data Engine creates the following record types as it extracts theperformance data from SMF type 120 subtype 9 records:v SMF120_REQAPPL for WebSphere application recordsv SMF120_REQCONT for WebSphere controller records

The SMF type 120 subtype 9 record contains information about the activity of theWebSphere server and the hosted applications. This record is produced whenever aserver receives a request. When you do capacity planning, consider the costs thatare involved in running requests and the number of requests that you processduring a specific time. You can use the SMF type 120 subtype 9 record to monitor

New documentation for insights on Splunk and Elastic Stack platforms xxxiii

http://www.ibm.com/support/knowledgecenter/SS7K4U_9.0.0/com.ibm.websphere.zseries.doc/ae/ttrb_SMFusingsmadmapp.html

http://www.ibm.com/support/knowledgecenter/SS7K4U_9.0.0/com.ibm.websphere.zseries.doc/ae/ttrb_SMFusingsmadmapp.html

which requests are associated with which applications, the number of requests thatoccur, and the amount of resource that each request uses. You can also use thisrecord to identify the applications that are involved and the amount of CPU timethat the requests use.

As part of planning to collect SMF 120 data, consider the disk space requirementsfor storing the data and the increase in network activity that is required to transmitSMF data.

To reduce any system performance degradation due to data collection and toimprove the usability of the data, the System Data Engine aggregates the SMFactivity records in 1-minute collection intervals by default. Ensure that thecollection interval is an integral factor of the SMF global recording interval, asmeasured in minutes, so that data collection is synchronized. For example, a 1-, 3-,or 5-minute collection interval is an integral factor of a typical 15-minute SMFglobal recording interval, but a 4-minute collection interval is not. The SMF globalrecording interval INTERVAL(nn) is defined in the SMFPRMxx member ofSYS1.PARMLIB (or its equivalent).



Table 29. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for SMF record type 120 data



v SMF120_REQAPPL

v SMF120_REQAPPL

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click SMF Data > IOAz >WAS, and select the check box for therespective data stream.








Application The application name SM1209EO Text

xxxiv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms



ControllerJobname The job name for the controller SM1209BT Text

DeleteServiceCPUActiveCount The count of samples when theenclave delete CPU service time wasnon-zero. Time is accumulated by theenclave as reported by theCPUSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted.

SM1209DN count Long

DispatchCPU The amount of CPU time, inmicroseconds, that is used bydispatch TCB.

SM1209CI Double

EnclaveCPU The amount of CPU time that wasused by the enclave as reported bythe CPUTIME parameter of theIWM4EDEL API.

SM1209DH Double

EnclaveServiceDeleteCPU The enclave delete CPU service thatis accumulated by the enclave asreported by the CPUSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.

SM1209DN Double

RecordType Internal record type. The followingvalues are possible:

v SMF120_REQAPPL, which indicates aWebSphere application record

v SMF120_REQCONT, which indicates aWebSphere controller record


Text

RequestCount Request count Set by the dataprovider

Long

RequestEnclaveCPU The enclave CPU time at the end ofthe dispatch of this request, asreported by the CPUTIME parameter ofthe IWMEQTME API. The units arein TOD format.

SM1209DA Double

RequestTime The time that the request wasreceived, or the time that theWebSphere application or controllercompleted processing of the requestresponse.

SM1209CM,SM1209CQ

Double

New documentation for insights on Splunk and Elastic Stack platforms xxxv



RequestType The type of request that wasprocessed. The following values arepossible:

v HTTP

v HTTPS

v IIOP

v INTERNAL

v MBEAN

v MDB-A

v MDB-B

v MDB-C

v NOTKNOWN

v OTS

v SIP

v SIPS

v UNKNOWN

SM1209CK Text

SpecialtyCPU The amount of CPU time that wasspent on non-standard CPs, such asthe z Systems Application AssistProcessor (zAAP) and z SystemsIntegrated Information Processor(zIIP). This value is obtained fromthe TIMEUSED API.

SM1209CX Double

SpecialtyCPUActiveCount The count of samples when theamount of CPU time that was spenton non-standard CPs, such as thezAAP and zIIP, was non-zero. TheCPU utilization value is obtainedfrom the TIMEUSED API.

SM1209CX count Long

SystemID The system identifier SM120SID Text

zAAPCPUActiveCount The count of samples when thedelete zAAP CPU enclave time wasnon-zero. A value of 0 indicates thatthe enclave was not deleted or notnormalized. This CPU time isobtained from the ZAAPTIME fieldin the IWM4EDEL macro.

SM1209DI count Long

zAAPEligibleCPU The amount of CPU time at the endof the dispatch of this request that isspent on a regular CP that couldhave been run on a zAAP, but thezAAP was not available. This valueis obtained from theZAAPONCPTIME field in theIWMEQTME macro.

SM1209DC Double

zAAPEnclaveCPUNormalized The enclave zAAP CPU time at theend of the dispatch of this request, asreported by the ZAAPTIME parameterof the IWMEQTME API. Thisutilization is adjusted by the zAAPnormalization factor at the end of thedispatch of this request. Thenormalization factor is obtained fromthe ZAAPNFACTOR parameter of theIWMEQTME API.

SM1209DG,SM1209DB

Double

xxxvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms



zAAPEnclaveDeleteCPU The delete zAAP CPU enclave. Avalue of 0 indicates that the enclavewas not deleted or not normalized.This value is obtained from theZAAPTIME field in the IWM4EDELmacro. This value is normalized bythe enclave delete zAAPnormalization factor as reported bythe ZAAPNFACTOR parameter of theIWM4EDEL API.

SM1209DJ,SM1209DI

Double

zAAPEnclaveServiceDeleteCPU The enclave delete zAAP Service thatis accumulated by the enclave asreported by the ZAAPSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.

SM1209DM Double

zAAPServiceCPUActiveCount The count of samples when theenclave delete zAAP service timewas non-zero. Time is accumulatedby the enclave as reported by theZAAPSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted.

SM1209DM count Long

zIIPCPUActiveCount The count of samples when theenclave delete zIIP time wasnon-zero. Time is accumulated by theenclave as reported by the ZIIPTIMEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted.

SM1209DK count Long

zIIPEligibleCPUEnclave The eligible zIIP enclave that is onthe CPU at the end of the dispatch ofthis request. This value is obtainedfrom the ZIIPTIME field in theIWMEQTME macro.

SM1209DF Double

zIIPEnclaveCPU The zIIP enclave that is on the CPUat the end of the dispatch of thisrequest. This value is obtained fromthe ZIIPONCPTIME field in theIWMEQTME macro.

SM1209DD Double

zIIPEnclaveDeleteCPU The enclave delete zIIP time that isaccumulated by the enclave asreported by the ZIIPTIME parameterof the IWM4EDEL API. A value of 0indicates that the enclave was notdeleted.

SM1209DK Double

zIIPEnclaveQualityCPU The zIIP Quality Time enclave thatwas on the CPU at the end of thedispatch of this request. This value isobtained from the ZIIPQUALTIMEfield in the IWMEQTME macro.

SM1209DE Double

zIIPEnclaveServiceDeleteCPU The enclave delete zIIP service that isaccumulated by the enclave asreported by the ZIIPSERVICEparameter of the IWM4EDEL API. Avalue of 0 indicates that the enclavewas not deleted or not normalized.

SM1209DL Double

New documentation for insights on Splunk and Elastic Stack platforms xxxvii



zIIPServiceCPUActiveCount The count of samples when theenclave delete zIIP service time wasnon-zero. Time is accumulated by theenclave as reported by theZIIPSERVICE parameter of theIWM4EDEL API. A value of 0indicates that the enclave was notdeleted or not normalized.

SM1209DL count Long

SYSLOG dataz/OS system log (z/OS SYSLOG) data can originate either from the operations log(OPERLOG) or from the z/OS user exits.v “Data stream definition in the IBM Common Data Provider for z Systems



Table 31. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for z/OS SYSLOG data



v z/OS SYSLOG

v z/OS SYSLOG from OPERLOG

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > SystemLogs, and select the check box for therespective data stream.


Split Transform v For a z/OS SYSLOG data stream, thetransform value is SYSLOG Splitter.

v For a z/OS SYSLOG from OPERLOG datastream, you do not provide a value for thesplitter.



Table 32. Annotated fields for z/OS SYSLOG data


ApplID The application identifier Text

ASID The address space identifier Text

CommandPrefix The command prefix Text

xxxviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 32. Annotated fields for z/OS SYSLOG data (continued)


Component The component identifier, which shows thedomain or component that issues the message

Text

ConsoleName The console name Text

JobName The 8-character name of the job on the z/OSsystem

Text

MessageFlags A value that provides more descriptiveinformation about the message. The followingvalues are examples:

v “CMD” means that the message is a command.

v “CMDRSP” means that the message is acommand response.

v “NONE” means that no more descriptiveinformation is associated with this message.

Text

MessageID The message identifier.

Also, see “Message IDs.”

Text


Text

MessageText The message text. If a value is detected forMessageID, MessageText contains the MessageIDalso.

Text



Text

RouteCodes The route codes Text


Text

Task The job identifier for the task that issued themessage

Text

UserExitFlags The user exit flags Text

Message IDs

A string is detected as a message ID if it matches one of the following formats:aaxxxnaaxxxntaaxxxxnaaxxxxntaaxxxxxnaaxxxxxntaaxxxxxxnaaxxxxxxnt$HASPnnn$HASPnnnnDFHaannDFHaannnDFHaannnn

New documentation for insights on Splunk and Elastic Stack platforms xxxix

DFHnnDFHnntDFHnnnDFHnnnnEYUaannEYUaannnEYUaannnnEYUnnEYUnntEYUnnnEYUnnnn

where:v a represents an uppercase alphabetic character (A - Z).v n represents a numeric character (0 - 9).v x represents an uppercase alphabetic character or a numeric character.v t represents a type character (A, I, E, W, D, or S). If the first 3 characters of the

message ID are DFH or EYU, U is also a valid type character.


syslogd dataSyslogd data is network data from the UNIX System Services system log (syslogd).The abbreviation syslogd represents the term syslog daemon.v “Data stream definition in the IBM Common Data Provider for z Systems


xli


Table 33. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for syslogd data


Data Stream One or more of the following values:

v USS Syslogd Admin

v USS Syslogd Debug

v USS Syslogd Error

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > SystemLogs, and select the check box for therespective data stream.


Split Transform ?????


xl Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms


Table 34. Annotated fields for syslogd data


Application The application identifier Text

JobName The job name Text

MessageID The message identifier Text


Text

MessageText The message text Text



Text

processID The process identifier Text


Text

WebSphere HPEL dataWebSphere Application Server for z/OS High Performance Extensible Logging(HPEL) data is log data from an HPEL repository.v “Data stream definition in the IBM Common Data Provider for z Systems


xlii


Table 35. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS HPEL data


Data Stream WebSphere HPELTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the WebSphereHPEL check box.




New documentation for insights on Splunk and Elastic Stack platforms xli


Table 36. Annotated fields for WebSphere Application Server for z/OS HPEL data


application The application name that is populated by thegroup data source field

Text

appName The name of the Java™ Platform, EnterpriseEdition (Java EE) application that the log or tracerecord relates to, if any.

Text

className The name of the class that made the call to thelogger. This name might be the name of thesource class that is supplied in the call to thelogger, or it might be an inferred source classname. The name might not be accurate.

Text

exceptionClassName If this record was generated due to an exception,this name is the class name in the top stack traceentry.

Text

exceptionFileName If this record was generated due to an exception,this name is the file name in the top stack traceentry.

Text

exceptionLineNumber If this record was generated due to an exception,this number is the line number in the top stacktrace entry.

Long

exceptionMethodName If this record was generated due to an exception,this name is the method name in the top stacktrace entry.

Text

exceptionPackageName If this record was generated due to an exception,this name is the package name in the top stacktrace entry.

Text

hostname The host name that is populated by the groupdata source field

Text

javaException The first Java exception name that matches thefollowing pattern:

*.*Exception

Text

jobId The identifier of the Job Entry Subsystem (JES)job that created this record

Text

jobName The name of the JES job that created this record Text

level The message level, which is an indication of theseverity of the message

Text

loggerName The name of the logger that created this record Text

message The formatted version of the log record, withvalues substituted for any placeholderparameters. If a value is detected formsgClassifier, message contains the msgClassifieralso.

Text

methodName The name of the method that made the call tothe logger. This name might be the name of thesource method that is supplied in the call to thelogger, or it might be an inferred source methodname. This name might not be accurate.

Text

xlii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 36. Annotated fields for WebSphere Application Server for z/OS HPELdata (continued)


middleware The middleware name that is populated by thegroup data source field

Text

msgClassifier The message identifier of the log recordmessage. This message ID is the same regardlessof the locale in which the message is rendered.For non-message records, and for other messagesthat do not begin with a message ID, this field isempty.

Text

sequence The sequence index of the message as generatedby the logger

Long

service The service name that is populated by the groupdata source field

Text

threadID The identifier of the thread on which this requestwas logged. This ID is based on thejava.util.logging representation of the threadID, and is not equivalent to the operating systemrepresentation of the thread ID.

Text

traceBlockAll If this record was generated due to an exception,this is the stack trace. The stack trace iscomputed only for records where a throwableexception is explicitly supplied by the caller.

Text

WebSphere SYSOUT dataWebSphere Application Server for z/OS SYSOUT data is from the SYSOUT job log.v “Data stream definition in the IBM Common Data Provider for z Systems


xliv


Table 37. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS SYSOUT data


Data Stream WebSphere SYSOUTTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the WebSphereSYSOUT check box.




New documentation for insights on Splunk and Elastic Stack platforms xliii


Table 38. Annotated fields for WebSphere Application Server for z/OS SYSOUT data



Text

entryNumber Entry number Long


Text


Text


Long


Text


Text


Text


*.*Exception

Text

message The log message text. If a value is detected formsgClassifier, message contains the msgClassifieralso.

Text

messageTag The message tag that is defined in theclassification file

Text


Text

msgClassifier The log message number Text

processID The process identifier Text


Text

threadAddress The thread address Text

threadID An eight-character hexadecimal thread identifier. Text

WebSphere SYSPRINT dataWebSphere Application Server for z/OS SYSPRINT data is from the SYSPRINT joblog.v “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xlvv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xlv

xliv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms


Table 39. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for WebSphere Application Server for z/OS SYSPRINT data


Data Stream One or more of the following values:

v WebSphere SYSPRINT

v WebSphere USS Sysprint

To select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data >Application Logs, and select the check boxfor the respective data stream.





Table 40. Annotated fields for WebSphere Application Server for z/OS SYSPRINT data



Text


Text


Text


Long


Text


Text


Text


*.*Exception

Text

message The extended message. If a value is detected formsgClassifier, message contains the msgClassifieralso.

Text

New documentation for insights on Splunk and Elastic Stack platforms xlv

Table 40. Annotated fields for WebSphere Application Server for z/OS SYSPRINTdata (continued)


messageTag The message tag that is defined in theclassification file

Text


Text

msgClassifier The extended message number Text


Text

sourceID The source identifier Text

threadAddress The hexadecimal thread address Text

zAware interval anomaly dataInterval anomaly data is provided by IBM z Advanced Workload AnalysisReporter (IBM zAware).


Table 41. Annotated fields for anomaly interval data


IntervalAnomaly A double value that indicates the anomaly scorefor the interval. The score is the percentile of thesum of each anomaly score for individualmessage IDs within the interval.

Double

IntervalEndTime The time, based on Coordinated Universal Time(UTC), that indicates the end of an interval forwhich the log messages that are produced areused to generate the anomaly record. The formatis YYYY-MM-DDTHH:mm:ss.sssZ.

Date

IntervalIndex An integer that indicates the sequence number ofthis interval within the specified date. Eachindex represents a 10-minute period.

Long

IntervalStartTime The time, based on UTC, that indicates the startof an interval for which log messages that areproduced are used to generate the anomalyrecord. The format is YYYY-MM-DDTHH:mm:ss.sssZ.

Date

LimitedModelStatus An indication of whether the model that is usedto calculate the anomaly score for this interval isa limited model. The following values are valid:

v YES

v NO

v UNKNOWN

Text

ModelGroupName The name of an analysis group. Each analysisgroup is associated with one or more systemsfrom which the logs are used to create a singlemodel.

Text

xlvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 41. Annotated fields for anomaly interval data (continued)


NumMessagesNeverSeenBeforeAn integer that indicates the number of messageIDs that were issued during this analysis intervalfor the first time but were never seen in anyprevious analysis interval or in the currentmodel.

Long

NumMessagesNotInModelFirstReportedAn integer that indicates the number of messageIDs that are not in the model and were issuedduring this analysis interval for the first time.

Long

NumMessagesUnique An integer that indicates the number of uniquemessage IDs that were issued during thisanalysis interval.

Long

SysplexName The sysplex name Text

SystemName The system name Text

timestamp The time, based on UTC, that indicates the endof the interval record. This time is equivalent tothe value for the IntervalEndTime field. Whenyou search for interval anomaly scores that arebased on a time stamp, ensure that you searchfor the end time of the interval record. Theformat is YYYY-MM-DDTHH:mm:ss.sssZ.

Date

zAwareServer The hostname or IP address of the IBM zAdvanced Workload Analysis Reporter (IBMzAware) server from which the interval anomalydata is retrieved.

Text

zSecure datazSecure data is data from the . This data includes information about securityevents.v Data generationv “Data stream definition in the IBM Common Data Provider for z Systems

configuration tool” on page xlviiiv “Fields that are annotated by IBM Operations Analytics for z Systems” on page

xlviii

Data generation

The generates security events that the IBM Common Data Provider for z Systemssends to IBM Operations Analytics for z Systems. These events include thefollowing data:v Successful and unsuccessful attempts to log on to applicationsv Successful and unsuccessful attempts to access system resources, such as data

sets and the z/OS file system (zFS)v Successful and unsuccessful commands that are issued

The Access Monitor generates a data transfer file on the UNIX System Services filesystem. For IBM Operations Analytics for z Systems to use the Access Monitordata, IBM Common Data Provider for z Systems must be configured to read thisdata transfer file from the hierarchical file system (HFS) or the zFS, and send thefile to IBM Operations Analytics for z Systems by using the generic zFS file type.The data source type zOS-zSecure must be defined as the data source name in the

New documentation for insights on Splunk and Elastic Stack platforms xlvii

generic zFS file definition. Also, after the generic zFS file type source is saved, theconfiguration must include a transform to UTF-8.


Table 42. Configuration artifacts that must be defined in the IBM Common Data Provider forz Systems configuration tool for zSecure data


Data Stream Generic ZFS FileTo select this data stream in theconfiguration tool UI: In the “Select datastream” window, click Log Data > GenericFeeds, and select the Generic ZFS File checkbox.





Table 43. Annotated fields for data


AttribOperations A Yes or No indication of whether the Operations flagis set for the user ID.

Text

AttribSpecial A Yes or No indication of whether the Special flag isset for the user ID.

Text

AuthMethod For records with the event type Verify, the indicationof the method that is used for verification. Thefollowing method values are examples:

v none

v password

v passticket

v multifactor passphrase

v started

Text

Class For records with the event type Auth, Define, or Fast,the security class, for example, XFACILIT.

Text

Count The number of events of the specified event type thatoccurred in the time period. The maximum value is a63-bit decimal number.

Number

EventType The event type for this record. The following eventtype values are examples:

v Auth

v Command

v Define

v Fast

v Verify

Text

JobName For records with the event type Verify, the indicationof the job for which authentication was requested, forexample, SSHD1.

Text

xlviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Table 43. Annotated fields for data (continued)


ProfileName For records with the event type Command, the profilename that is being used, for example, ’CKF.**’.

Text

ResourceName For records with the event type Auth, Define, or Fast,the name of the resource that is being accessed, forexample, ’CKF.AUDIT’.

Text

Result The return code. For example, a return code of 0indicates a successful result.

Text

SystemID The SMF system ID, for example, I001. Text

UserID The user ID for this record, for example, IBMUSER. Text

DashboardsIBM Operations Analytics for z Systems provides dashboards TBD...

TBD

Sample searchesIBM Operations Analytics for z Systems provides sample searches that can be usedfrom the UI to search operational data. These searches include queries of keyannotated fields that can contribute to operational insights.

The names of all sample searches begin with “IBM zOS” to distinguish theseIBM-provided searches from any custom searches that you create and save.

CICS Transaction Server for z/OS searchesThe name for each CICS Transaction Server for z/OS sample search is shown witha brief description of what the associated query looks for.

IBM zOS CICS Transaction Server Abend or Severe MessagesSearches for CICS Transaction Server messages that have the formatDFHccxxxx, where cc represents a component identifier (such as SM forStorage Manager), and xxxx is either 0001 or 0002 (which indicates anabend or severe error in the specified component).

For example: This sample would search for DFHSM0001 but not for DFH0001.

IBM zOS CICS Action, Decision, or Error MessagesSearches for CICS messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.

The search is based on the CICS message IDs and on an action code of A,D, E, S, or U.

IBM zOS CICS Transaction Server Key MessagesSearches for a set of predefined message numbers to determine whetherany of the messages occurred.

IBM zOS CICS Transaction Server MessagesSearches for CICS Transaction Server messages, which start with the prefixDFH or EYU.

New documentation for insights on Splunk and Elastic Stack platforms xlix

IBM zOS CICS Transaction Server Short on Storage MessagesSearches for CICS Transaction Server for z/OS messages that indicate thata storage shortage occurred.

IBM zOS CICS Transaction Server Start Stop MessagesSearches for CICS Transaction Server for z/OS messages that are written tothe system log while the CICS Transaction Server for z/OS is started orstopped. Messages with the following numbers are examples:v EYUXL0010I

v DFHPA1101

IBM zOS CICS Transaction Server Storage ViolationsSearches for CICS Transaction Server for z/OS messages that indicate thata storage violation occurred.

List of CICS Transaction Server for z/OS searches that are based on SystemManagement Facilities (SMF) data

To obtain results from the following searches, CICS Transaction Server forz/OS must be active and configured to create SMF 110 records. For moreinformation, see “SMF 110 data generation” on page xxvii.

IBM zOS CICS Job PerformanceSearches for records that have a program name of DFHSIP orEYU9XECS.

IBM zOS CICS Transaction Server ExceptionsSearches for CICS Transaction Server for z/OS exceptions thatoccurred.

IBM zOS CICS Transaction Server Policy ExceptionsSearches for CICS Transaction Server for z/OS SMF policy-basedexceptions that occurred.

IBM zOS CICS Transaction Server SummarySearches for CICS Transaction Server for z/OS transactionsummary interval records that occurred.

IBM zOS CICS Transaction Server Summary End-of-DaySearches for CICS Transaction Server for z/OS end-of-daytransaction summary records that occurred.

IBM zOS CICS Transaction Server Task Limit MetSearches for CICS Transaction Server for z/OS transaction recordswhere the number of active user transactions equaled the specifiedmaximum allowed number of user transactions.

IBM zOS CICS Transaction Server Wait on Storage ExceptionsSearches for CICS storage manager messages and CICS TransactionServer for z/OS SMF Wait on Storage exceptions.

DB2 for z/OS searchesThe name for each DB2 for z/OS sample search is shown with a brief descriptionof what the associated query looks for.

IBM zOS DB2 Action, Decision, or Error MessagesSearches for DB2 messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.

l Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

IBM zOS DB2 Data Set MessagesSearches for DB2 messages that indicate any of the following situations:v Failure of a data set definitionv Failure of a data set extendv Impending space shortage

IBM zOS DB2 Data Sharing MessagesSearches for internal resource lock manager (IRLM) messages that wereissued to DB2 and that indicate at least one of the following situations:v The percentage of available lock structure capacity is low.v An error occurred when IRLM used the specified z/OS automatic restart

manager (ARM) function.

IBM zOS DB2 Job PerformanceSearches for records that have a program name of DSNYASCP or DSNADMT0.

IBM zOS DB2 Lock Conflict MessagesSearches for DB2 messages that indicate that a plan was denied an IRLMlock due to a detected deadlock or timeout.

IBM zOS DB2 Log Data Set MessagesSearches for messages that indicate that DB2 log data sets are full, arebecoming full, or could not be allocated.

IBM zOS DB2 Log Frequency MessagesSearches for DB2 messages that indicate that log archives were offloaded orare waiting to be offloaded.

IBM zOS DB2 MessagesSearches for DB2 messages, which start with the prefix DSN.

IBM zOS DB2 Pool Shortage MessagesSearches for DB2 messages that indicate that the amount of storage in thegroup buffer pool (GBP) coupling facility structure that is available forwriting new pages is low or critically low.

IMS for z/OS searchesThe name for each IMS for z/OS sample search is shown with a brief descriptionof what the associated query looks for.

IBM zOS IMS Abend MessagesSearches for messages that indicate abends were detected.

IBM zOS IMS Action, Decision, or Error MessagesSearches for IMS messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.

The search is based on the IMS message IDs and on an action code of A, E,W, or X.

IBM zOS IMS Common Queue Server MessagesSearches for IMS Common Queue Server component messages, which startwith the prefix CQS.

IBM zOS IMS Connect MessagesSearches for IMS Connect component messages, which start with the prefixHWS.

New documentation for insights on Splunk and Elastic Stack platforms li

IBM zOS IMS Database Recovery Control ErrorsSearches for Database Recovery Control component error messages, whichstart with the prefix DSP.

IBM zOS IMS Job PerformanceSearches for records that have a program name of DFSAMVRC0, DFSRRC00, orDXRRLM00.

IBM zOS IMS Locking MessagesSearches for messages that indicate which IMS resources are locked.

IBM zOS IMS Log MessagesSearches for messages that indicate how often IMS logs are rolled.

IBM zOS IMS MessagesSearches for IMS messages, which start with any of the following prefixes:BPE, CQS, CSL, DFS, DSP, DXR, ELX, FRP, HWS, MDA, PCB, PGE, SEG, or SFL

IBM zOS IMS Pool IssuesSearches for messages that indicate IMS pool-related issues.

IBM zOS IMS Resources in Waiting ErrorsSearches for error messages that indicate a resource is waiting on otherresources to become available.

IBM zOS IMS Security ViolationsSearches for error messages that indicate security violations were detected.

IBM zOS IMS Stopped ResourcesSearches for messages that indicate IMS and related components are nolonger running.

IBM zOS IMS Terminal Related MessagesSearches for messages that indicate IMS terminal-related issues, includingterminals that are no longer receiving messages.

MQ for z/OS searchesThe name for each MQ for z/OS sample search is shown with a brief descriptionof what the associated query looks for.

IBM zOS MQ Action, Decision, or Error MessagesSearches for MQ messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.

The search is based on the MQ message IDs and on an action code of A, D,or E .

IBM zOS MQ Buffer Pool ErrorsSearches for error messages that indicate the occurrence of MQ buffer poolerrors.

IBM zOS MQ Channel ErrorsSearches for error messages that indicate the occurrence of MQ channelerrors.

IBM zOS MQ Channel Initiator ErrorsSearches for error messages that indicate the occurrence of MQ channelinitiator errors.

lii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

IBM zOS MQ Interesting Informational MessagesSearches for a set of predefined informational message numbers todetermine whether any of the corresponding messages occurred.

IBM zOS MQ Job PerformanceSearches for records that have a program name of CSQXJST or CSQYASCP.

IBM zOS MQ Key MessagesSearches for a set of predefined message numbers to determine whetherany of the corresponding messages occurred.

IBM zOS MQ Logs Start and Stop MessagesSearches for messages that are related to the starting, stopping, andflushing of the MQ log data sets.

IBM zOS MQ MessagesSearches for MQ messages, which start with the prefix CSQ.

IBM zOS MQ Queue Manager Storage MessagesSearches for messages that indicate whether MQ queue manager requiredmore storage.

IBM zOS MQ Start Stop MessagesSearches for messages that are written to the system log while the MQqueue manager or channel initiator is started or stopped. Messages withthe following numbers are examples:v CSQY000I

v CSQY001I

NetView for z/OS searchesThe name for each NetView for z/OS sample search is shown with a briefdescription of what the associated query looks for.

IBM zOS NetView Action, Decision, or Error MessagesSearches for NetView for z/OS messages that indicate any of the followingsituations:v Immediate action is required.v A decision is required.v An error occurred.

IBM zOS NetView AutomationSearches for a set of predefined NetView for z/OS messages that indicatepossible automation table violations.

IBM zOS NetView Command AuthorizationSearches for a set of predefined NetView for z/OS messages that indicatepossible command authorization table violations.

IBM zOS NetView MessagesSearches for NetView for z/OS messages.

IBM zOS NetView Resource LimitsSearches for a set of predefined NetView for z/OS messages that indicatethat resource limits or storage thresholds might have been exceeded.

IBM zOS NetView Security MessagesSearches for a set of predefined NetView for z/OS messages that indicateinsufficient access authority or security environment violations.

New documentation for insights on Splunk and Elastic Stack platforms liii

Security searches: RACFThe name for each Resource Access Control Facility (RACF) sample search isshown with a brief description of what the associated query looks for.

IBM zOS Security RACF Action, Decision, or Error MessagesSearches for RACF® messages that indicate any of the following situations:v Immediate action is required.v A decision is required.v An error occurred.

IBM zOS Security RACF Insufficient Access MessagesSearches for RACF messages that indicate insufficient access authority.

IBM zOS Security RACF Insufficient Authority MessagesSearches for RACF messages that indicate insufficient authority.

IBM zOS Security RACF Invalid Logon Attempt MessagesSearches for RACF messages that indicate invalid logon attempts.

IBM zOS Security RACF MessagesSearches for RACF messages, which start with either of the followingprefixes:v ICHv IRR

List of RACF searches that are based on System Management Facilities (SMF)data To obtain results from the following searches, RACF must be active and

protecting the resources or commands that are the subject of each search:

IBM zOS Security RACF Accesses of Configuration FilesSearches for any accesses of files with the extension .config.

IBM zOS Security RACF Activity for OperationsSearches for any events that were caused by a user with the RACFOPERATIONS attribute.

IBM zOS Security RACF CHOWN, CHGRP, CHMOD CommandsSearches for occurrences of the UNIX commands CHOWN,CHGRP, and CHMOD that were issued.

IBM zOS Security RACF Data Set Access SuccessesSearches for successful attempts to access data sets.

IBM zOS Security RACF Failed Access AttemptsSearches for unsuccessful attempts to access data sets.

IBM zOS Security RACF Logons and CommandsSearches for logons and commands that were issued from aspecific terminal ID (TermID field). The default value for the TermIDfield is non-blank.

IBM zOS Security RACF SETROPTS Commands IssuedSearches for SETROPTS commands that were issued.

Security searches: zsecure Access MonitorThe name for each sample search for the is shown with a brief description of whatthe associated query looks for.

IBM zOS zSecure Access Monitor All RecordsSearches for all records that are created by the Access Monitor.

liv Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

IBM zOS zSecure Access Monitor Authorization Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF AUTH definitionv Have a non-zero return codev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Authorization RecordsSearches for records with the following characteristics:v Are based on the RACF AUTH definitionv Are created by the Access Monitor

IBM zOS zSecure Access Monitor CICS Authorization Nonzero ResultSearches for CICS transaction-related records with a non-zero return codethat are created by the Access Monitor.

IBM zOS zSecure Access Monitor CICS TransactionsSearches for all CICS transaction-related records that are created by theAccess Monitor.

IBM zOS zSecure Access Monitor Command Nonzero ResultSearches for records with the following characteristics:v Are based on the use of the RACF DEFINE command to add or remove a

profile in the RACF databasev Have a non-zero return codev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Command RecordsSearches for records with the following characteristics:v Are based on the use of the RACF DEFINE command to add or remove a

profile in the RACF databasev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Define Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF DEFINE definitionv Have a non-zero return codev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Define RecordsSearches for records with the following characteristics:v Are based on the RACF DEFINE definitionv Are created by the Access Monitor

IBM zOS zSecure Access Monitor Fast Nonzero ResultSearches for records with the following characteristics:v Are based on the RACF FASTAUTH definitionv Have a non-zero return codev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Fast RecordsSearches for records with the following characteristics:v Are based on the RACF FASTAUTH definitionv Are created by the Access Monitor

IBM zOS zSecure Access Monitor Verify Nonzero ResultSearches for records with the following characteristics:

New documentation for insights on Splunk and Elastic Stack platforms lv

v Are based on the RACF VERIFY definitionv Have a non-zero return codev Are created by the Access Monitor

IBM zOS zSecure Access Monitor Verify RecordsSearches for records with the following characteristics:v Are based on the RACF VERIFY definitionv Are created by the Access Monitor

WebSphere Application Server for z/OS searchesThe name for each WebSphere Application Server for z/OS sample search is shownwith a brief description of what the associated query looks for.

IBM zOS WebSphere Error MessagesSearches for WebSphere Application Server for z/OS messages thatindicate an error.

IBM zOS WebSphere ExceptionsSearches for occurrences of Java exceptions in the WebSphere ApplicationLogs.

List of WebSphere Application Server for z/OS searches that are based onSystem Management Facilities (SMF) data

To obtain results from the following searches, WebSphere ApplicationServer for z/OS must be active and configured to create SMF 120 subtype9 records:

IBM zOS WebSphere Activity for All ApplicationsSearches for the requests for processing that are attributed toWebSphere Application Server for z/OS applications.

IBM zOS WebSphere Applications with Nonzero Dispatch TCBSearches for the requests for processing that are attributed toWebSphere Application Server for z/OS applications with nonzerodispatch Task Control Block (TCB) time.

IBM zOS WebSphere Controller Managed JavaBeansSearches for the managed JavaBeans requests that are processed bythe WebSphere Application Server Controller.

IBM zOS WebSphere Controller Requests Non-InternalSearches for the requests for controller processing that are notattributed to internal WebSphere processing.

z/OS network searchesThe name for each z/OS network sample search is shown. These samples look forcommon network errors.

Searches for common network errors

The following z/OS network sample searches are provided:v IBM zOS Network ATTLS Error Messagesv IBM zOS Network CSSMTP Error Messagesv IBM zOS Network Device Error Messagesv IBM zOS Network FTP Error Messagesv IBM zOS Network IKED Error Messages

lvi Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

v IBM zOS Network IPSEC Error Messagesv IBM zOS Network OMPROUTE Error Messagesv IBM zOS Network PAGENT Error Messagesv IBM zOS Network Storage Error Messagesv IBM zOS Network syslogd FTPD Messagesv IBM zOS Network syslogd Messagesv IBM zOS Network syslogd SSHD Messagesv IBM zOS Network syslogd TELNETD Messagesv IBM zOS Network TCPIP Error Messagesv IBM zOS Network TN3270 Telnet Error Messagesv IBM zOS Network VTAM Connection Error Messagesv IBM zOS Network VTAM CSM Error Messagesv IBM zOS Network VTAM Storage Error Messages

z/OS system searchesThe name for each sample search of the z/OS system is shown with a briefdescription of what the associated query looks for.

IBM zOS Job PerformanceSearches for records that have an assigned program name.

New documentation for insights on Splunk and Elastic Stack platforms lvii

lviii Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Notices

This information was developed for products and services offered in the US. Thismaterial might be available from IBM in other languages. However, you may berequired to own a copy of the product or product version in that language in orderto access it.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer ofexpress or implied warranties in certain transactions, therefore, this statement maynot apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of those

© Copyright IBM Corp. 2014, 2018 1

websites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

The performance data and client examples cited are presented for illustrativepurposes only. Actual performance results may vary depending on specificconfigurations and operating conditions.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

Statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to actual people or business enterprises is entirelycoincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sample

2 Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Windows is a trademark of Microsoft Corporation in the United States, othercountries, or both.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBMwebsite.

Personal use

You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.

Notices 3

http://www.ibm.com/legal/copytrade.shtml

IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.

You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

4 Operations Analytics for z Systems: New documentation for insights on Elastic Stack and Splunk platforms

Notices 5

IBM®

Printed in USA

I B M Op e r a ti o n s An a l yti cs f o r z S y s t e m s IBM › support › knowledgecenter ›...

Documents

Transcript of I B M Op e r a ti o n s An a l yti cs f o r z S y s t e m s IBM › support › knowledgecenter ›...