Like it or not, IT is in the spotlight. From the CEO, down to the individual employee or customer experience, IT operations is more important than ever – keeping service levels high, while keeping expenses in check.
Your IT landscape spans mainframe, IBM i, and distributed platforms – on premises and in the cloud – and you need an IT Operations Analytics (ITOA) solution that does as well. You’ll never be able to see the complete picture, meet service level agreements, and drive efficiencies across the enterprise if you’re focusing on one technology silo at a time.
Join this webinar to learn how to include your critical mainframe systems in an ITOA enterprise-wide view with Splunk dashboards.
During this webinar, we will explore:
- Benefits of ITOA for your business
- Challenges of integrating mainframe data in Splunk dashboards and how to overcome them
- Key use cases
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
3. The Data-to-Everything Platform™
Bring data to every question, decision and action.
Turn Data Into Doing™
Mainframe is no exception…
“Data-to-Everything” and “Turn Data Into Doing” trademark & copyright Splunk, Inc. in the United States and other countries.
4. Hurdles?
Yes…
it’s complex!
Systems Management Facility
(SMF), Syslog, Log4j web and
application logs, RMF, RACF, USS
files and standard datasets
Complex data structures
(SMF) with headers, product
sections, data sections,
variable length and self-
describing
• EBCDIC not recognized
outside of the mainframe
world
• Binary flags, bit fields,
repeating structures
• Not designed for easy use
• Millions of log records
generated daily
• 9.7TB average per day per
mainframe
• Not real-time
• Typically have to wait hours for
an offload
• Insufficient detail
9. Disk Information
• Reads/Writes
• Disk Capacity
• Disk Space Availability
• Disk Busy
• Disk Response Times
Job Information
• CPU used
• Socket sends/receives
• Stream file, directory & Symlink reads
• Stream file writes
• Seize/Wait time
• Communication Puts/Gets
CPU information Per Virtual CPU
• Time used
• Number of CPUs active
TCP communications
• Detailed stats at Datagram
• Fragmentation information
Physical Processor information per CPU
• Time used
• Owning Partition
Virtual Processor information per Virtual CPU
• Status, Time active, Time used.
• Configured/Uncapped available time
• Instruction count
Memory pool information per Pool
• Database faults
• Non-database faults
• Job transitions Size
• Disk I/O stats
• Pages aged and stolen
Job summary information
• CPU used
• Disk I/O detail
• Database/Non-database
• Page faults
• I/O Pending faults
Security Information
• User Profiles
• System Values
• Object attributes & authorities
• Authorization Lists, Job Descriptions
• Commands
• Active Jobs, Spool Files
• Changes to values, authorities, profiles, auth. lists
• Access attempts (authentication or object access)
• Sensitive object access
Comprehensive Security & Operational Metrics
13. What Does This Add Up To?
Better results & less work!
More
Control
Improved
Agility
Better
Visibility
?
…but wait…there’s more…
14. Splunk Data Model
• Helps non-mainframe users
• Do not need to be SME
• Easier data access
• Faster dashboard builds
• Create a reusable chart in less than 10 clicks!
15. Integration: Splunk Enterprise Security
• Monitor mainframe
• In real-time
• Correlate with other platforms
• RACF
• CA ACF2
• CA Top Secret™
®
®
16. Integration: Splunk IT Service Intelligence
• Mainframe health
• LPAR health
• CICS
• Db2
• Transactions
• Systems/Applications
Welcome everyone. Thank you for taking some time out of your busy schedule to join us today.
In this brief session I am going run through just some of the benefits of adding mainframe visibility into Splunk.
I’ll talk about the HOW and the WHY of getting mainframe metrics into this powerful analytics platform and touch on just some of the things that are possible.
We’ll also examine some of the optimizations that can be realized along the way…resulting in less work for you…and more free time for things like even more online meetings.
I doubt this will take the full 30 minutes…if you’re like me you’re growing a little webcast-weary as every event has gone virtual…so I’ll keep this brief and on point.
So buckle up…and let’s get going…
First…let’s just talk about Splunk. What is it? And why is it so popular?
Well… today…computers, cars…fridges…in fact pretty much anything containing electronics… all generate what is known as “machine data”.
This can be a formal log of events or just various elements of information. Often this data remains untapped, even though it can actually be really useful for following activities, diagnostics, history…any kind of behavioural insight.
Is there a faulty switch report? …Is there a pattern in the data to give me a clue?This information is often referred to as “dark data”…hidden away, out of sight…unused or under utilized…but often really useful.
And Splunk makes it super easy to get this kind of information into its platform where you can search, analyse, chart and dashboard it in any way you want. Even correlate the data with information from other sources…all of which would be difficult without Splunk.
***CLICK*** Fortunately, the bright minds at IBM have made the mainframe one of most metered and logful…if that’s a word...boxes on the planet. And because the mainframe still plays a major…often critical role…in many organizations…it should also take full advantage of a powerful platform like Splunk. Some of you may already be using some of this mainframe log information. Great! …but are you really getting full benefit from it?
***CLICK*** So to do that…we just need to plug the mainframe into Splunk…right?
Whoa…not so fast…that’s a nice idea and I wish it was that simple…but there are some hurdles to clear…
Hurdles? Yes there are a few that cannot be ignored.
For example…there are a lot of data sources on the mainframe. All very useful in their own right…specialized information for a specific purpose…but they can be very complex to deal with and unwind.
Then there is the sheer volume of data that can be produced. The mainframe…by design…is an efficient workhorse. This means it can produce a lot of machine and log data in a very short period of time.
…and for those that have tapped into some of this information…
…they have often created a manual process that involves batch jobs and FTP to get the data to where it needs to be…
…and this can take hours before the data becomes accessible…sometimes overnight is considered good. Not ideal if you’re relying on this information for a security use case. You need it real-time…as it is happening!
And did I already mention complexities? …I know I did…but it’s true…these sources are complex, unfriendly and not necessarily designed to be looked at by us mere mortals. Its machine data.
Oh…and to top it all…don’t forget you have to convert from one character set to another…EBCDIC to ASCII…just for fun.
As an example, I was speaking with a customer last week (another bank as it happens) and they used to…on a good day…take a few hours to get diagnostic information from SMF when one of their systems had an issue involving the mainframe.
…and that was typically only after the application team had isolated the problem to the mainframe…well after the problem had started.
Fortunately…here at Precisely…we have a purpose-build solution that means you don’t even have to consider these hurdles.
Ironstream for Splunk…streams all sorts of mainframe machine and log data to Splunk from the “big iron” platform.
It can even tap into application data…if needed.
Not only can Ironstream do this in real-time…as the data is being written on the mainframe…but it also does all the heavy lifting for you…unwinding the complexities and converting the information to ASCII…
Delivering just what you want to the Splunk destination of your choice…whether that is on-premise or in the cloud via a secured connection.
You can choose from an expanding array of data sources on the mainframe. All added as a result of customer requirements…and not just because we thought they may be useful.
All of the sources at the bottom of this slide are there for a reason. You decide what you want to collect…even down to the field level…and the conditions dictating when to capture the data using the simple…but powerful…WHERE command.
And when it comes to Splunk…we not only integrate with the base Splunk Enterprise product but also Splunk’s Enterprise Security and IT Service Intelligence solutions too.
Let’s take a look at some data in Splunk…and how you can do less work and optimize your IT visibility…
And by the way…that bank I mentioned on the previous slide…they are now using Ironstream to send real-time SMF to Splunk…where the application and mainframe teams can see what is happening second by second.
OK…drumroll please…here it is…mainframe data in Splunk
Wow…this is a little…er…underwhelming…isn’t it.
Well…it is log data…so it is not super sexy.
Remember…this is like looking under the hood at the engine. We don’t typically interact directly with the engine…it is usually via the dashboard and controls inside the vehicle…the user interface.
…In this case the data is showing “connection activity” for the mainframe: who…what…where…when.
It may not look fantastic…but don’t underestimate it…using Splunk you can easily search and interrogate data in so many different ways….Look at trends…identify patterns…see anomalies.
Plus you can corelate it with information from other non-mainframe sources. It’s the ultimate mash-up tool.
All of this could be very challenging without Splunk.
But you should be putting this kind of data to work. It is valuable and really insightful in so many ways.
…especially when you visualize it in charts and dashboards.
…and data really does come to life in a dashboard.
The visualization possibilities in Splunk are only limited by your imagination. I have seen some very cool implementations across our customers
…from real-time credit card monitoring…data movement tracking to ensure developers are not getting sensitive information…to second by second financial trading activities
Here we are simply getting visibility into a single LPAR on the mainframe…looking at some key metrics recorded over the last 7 days….yes…you can look back at the history.
But you can also use Splunk and machine learning to forward predict…quite accurately…where things are going based on what has already been seen.
Historical “training” data can be used to feed standard or bespoke data scientist machine learning algorithms to get insights into where things are going.
You can also take advantage of this data in real-time…as it is being written on the mainframe.
Ironstream captures a copy and sends it to Splunk so you can see what is occurring….as it is happening on the mainframe…not after the event took place…or the data left the building.
You can add better agility into your business by bringing real-time mainframe metrics into Splunk.
Are those key transactions performing well in your production CICS region? Here…real-time charts show you exactly what is going on….right now.
Are things trending up or down…are you heading into trouble?
This is live data…and Splunk can monitor and interrogate the data as it arrives…even taking action based on what it sees.
Hey team…something is out of step for a Wednesday morning…better take a look before it is too late.
…or I am seeing several failed logon attempts for a privileged account.
The operations team can now have visibility across the complete IT landscape…in the context of systems…
A wall of “green is good” screens telling them everything is running smoothly. This may sound difficult to achieve, but believe me, it is not when you use something like Splunk.
Ironstream can capture a LOT of valuable metrics and covers a myriad of use cases.
You can use it to gain visibility into many different scenarios – across security, compliance and operational metrics
Here’s just a selection of what can be achieved with Ironstream. From step-by-step batch job monitoring…to watching your CPU usage and the 4-hour rolling average…through to security and compliance. We have it covered.
Customers typically start with a single use case…knowing that they can quickly and easily expand into other areas.
For example…one of our customers…another major bank…yes banks are good customers for Precisely
They started their journey with a PCI DSS compliance use case…and are now expanding into CICS and Db2 operational activities.
Ironstream allows you to expand at your own pace. Use case by use case…and we can help and advise along the way.
We have many sample dashboards that we supply free to licensed Ironstream customers.
These are a really useful starting point. They are full of ideas and examples drawn from real-world implementations.
We have a comprehensive demo suite of dashboards to show just some of the things that are possible with a mainframe, Ironstream and Splunk.
To emphasize the dramatic shift that you can make…here is a real example from one of our customers
It shows credit card activities that are processed on the mainframe. It’s a classic 3270 “green screen” STAT INQUIRY view.
It is only accessible to those who can connect to the mainframe…and then…even though it shows vey useful information about cards transactions…declines…chip and pin activities…
…the data is static until you press enter.
It works…but is it the best way to surface this information? There must be a better way…
Of course there is…this is the same information presented in Splunk.
I have had to sanitize this screen a little for privacy reasons…but it really is the same information…presented in a Splunk dashboard…actually on an iPad…showing a map using geo-location lookup.
And…this is a real-time picture of what and where activities are taking place.
It summarizes information in a much better way…gives them better real-time insight into card declines…even highlights clusters of fraudulent card activities so they can proactively alert merchants and retailers.
What a dramatic shift…all underpinned by machine data supplemented with some card information…and delivered in real-time into Splunk by Ironstream.
This is starting to sound like “better results…less work”.
So what does this add up to? Where does this leave us?
We can get data into Splunk…and…OK…we can search it…and present it on some fancy dashboards…alright…but…now what…?
Good point…but you’re also missing the point…
Think about it. You’re getting this data…in real-time…or at least way faster than you may have in the past….and it contains some very insightful useful metrics about what is actually happening on your mainframe.
As we just saw…this information can be put to very good use.
You can get the current status of many things for so many use cases: batch work…transactions…queues…database activities…network connections…data transfers…security…compliance…and a lot, lot more
***CLICK***
This gives you much better visibility…which in turn leads to improved agility….because you can now react to the things that you can see as they’re happening…or with forward prediction…heading your way.
Something has failed…gone offline…hit an ABEND…entered a loop…is slowing down…
This means you have more control over what is happening…and because it is being reported in Splunk…in real-time…you can put it in the context of the rest of your IT landscape. Put it in the context of your credit card activities, for example.
You can have a broader vision and better control over infrastructure.
You’re in driving seat…with your finger on the pulse…and this can ultimately result in less work. Take a deep breath….put your feet up….life is good.
***CLICK***
But wait…there’s more….
Ironstream can take things further…
We have a free Splunk data model that we have created specifically for mainframe. Why? To make life easier.
Not everyone is…wants to be…or needs to be…a mainframe subject matter expert.
With our data model you don’t have to be. Give the data model to someone proficient in Splunk…and away they go….using mainframe data sources such as SMF or RMF without necessarily needing to know in-depth mainframe jargon.
Likewise a seasoned mainframe person can get to grips with Splunk a lot quicker by using the data model.
It is intuitive to use and you can even create a reusable chart in less than 10 clicks of the mouse. No writing searches or even seeing a search…just click, click, click…done
Better results…less work
Turning to another use case…security
Ironstream is also integrated with the Splunk Enterprise Security – the magic quadrant-leading solution in this space.
We have Splunk Technology Add-Ons that connect mainframe metrics into the Splunk Common Information Model…making the metrics available to solutions such as Splunk Enterprise Security.
We’ve done the hard work of connecting data points from the mainframe security products…RACF, ACF2 and Top Secret…so you don’t have to.
This brings together metrics from across your enterprise into a single SIEM solution.
Again, like the dashboards and data model…these security add-ons are free to licensed customers.
Better results...less work.
And if you want to take advantage of Splunk IT Service Intelligence to get that “green is good” dashboard…then we also have a free module to add to this powerful solution.
Here you can add mainframe Key Performance Indicators and thresholds into ITSI and easily see how your complete business systems are performing…how healthy they are…without lifting a finger.
Better results…less work…
And finally…we have recently launched what we call “Starter Packs”
These are Splunk apps…free to licensed Ironstream customers…that draw on our customer’s experience and best practice…and bring this together into one place.
Each pack is a collection of searches, lookups and dashboards that show you how to bring out the best from your mainframe dark data.
Today we have starter packs for…IT Operations Analytics…and Security
You can quickly add a pack to your Splunk environment…make a simple interactive change in the app to point it at your data…and away you go.
One of our customers dropped in the IT Ops starter pack and then made some modifications to group information into their 5 key application areas…
They are now using this in production to quickly see how these critical systems are performing…plus the application owners are able to see the same information…
Less phone calls…less interruption for the mainframe team…more information for those who need it…
Better visibility…less work…
So with that…I thank you for your time.
I hope you have been able to see how you can deliver some good results from your mainframe with Ironstream and Splunk.
I’ll open the floor for questions.