I have been using Splunk Enterprise for quite some time and recently added the Splunk for iseries - AS/400 plugin.
I searched a lot regarding the ways to get data into splunk from AS400 but i am still not sure on how to create a connectivity between splunk enterprise and AS400 i mean like giving some URL etc to get in log files from AS400.
Can you please help me on this?
Thanks in advance!
you need to get your data in via other means:
AUDJRN : look at AS400 app by Ron Naken
Logs: you can have a syslog agent that tails files & send them as SYSLOGS to splunk . e.g. syslog-ng
SyncSort ironstream: this will actually have a pseudo 'forwarder' on AS400 . developed by mainframe co syncsort & splunk.
Note that this will mean additional licensing for syslogs & ironstream route. unless you go ahead with bespoke syslog utility for your logs.
If data is not needed near realtime , have them FTP'ed to your accessible splunk box?
The App for iSeries relies on the iSeries exporting data into files which we can read. It contains example scripts showing how you can automate this on the iSeries end in it's bin folder. You'll also need an FTP server for it to write the exports to.
On the AS400 side I could FTP the file, but i am not sure of how to get that data from AS400 FTP and bring it to Splunk.
I had come across an app called "importutil" through which we can import data from ftp, http etc but I m getting the following error while executing the query.
command="importutil", Usage : importutil [config=] [format=] Example : importutil http http://research.stlouisfed.org/fred2/data/PAYEMS.txt
The issue had already been asked but no solution has been given.