I have looked into this in the past. You will more than likely need to use some 3rd party software to create metrics that Splunk will collect. There are currently no Splunk Apps/built in functionality (a side from using syslog) for doing this. This company seemed to have a solution that would plug into Splunk http://www.infosecinc.com/meas.php
There is no forwarder code for mainframe systems today. You could always submit a feature request asking for it. If you don't, then chances are it will never happen. (Splunk product management does not look at Splunkbase questions around a particular topic as a proxy for actual feature requests)
Also, you need to be explicit about what you are looking for. There are at least 3 common "mainframe" operating systems, and programs compiled for one WILL NOT work on the other. You have:
All of these are "mainframe" operating systems, each with their own APIs and idiosyncracies. When 99% of all people think "mainframe" they are thinking of z/OS, but the alternatives exist. (Functionally speaking, Linux/s390 would be the least difficult for Splunk to port a forwarder to - the other two could be much worse)
I downvoted this post because not really true, there are a variety of forwarding options on the market like ibm's common data provider... although appreciate this post might have been correct when initially written!
I did a little exploration with a third party about getting performance metrics off of Nonstop/Tandem hardware. We wrote a program to collect the metrics and write them out using a vaguely sensible format to a socket. Then it was just a simple TCP input in the Splunk server and some extractions. It was quite a successful prototype and proof-of-concept although we didn't end up releasing the product.
Hi - check out the Mainframe Event Acquisition System (MEAS) which will send mainframe data to Splunk. Events such as security activity, database accesses, CICS transaction activity, dataset access, FTP, TCPIP, RMF, SMP/E and more. You have the ability to filter so that you can send only what you really want to Splunk for further alerting and reporting. www.meas-info.com.
We FTP our Mainframe logs every 5 minutes to a text file on a heavy forwarder. The logs are forwarded on from there and load balanced across our indexers.