Ironstream from Syncsort can do all of this work for you. It will handle all of the issues related to SYSLOG, z/OS SMF records, log4j and flat files. It deals with the compression, the triplets, the binary data and converts the data from EBCDIC to ASCII. It does this very efficiently, even offloading a lot of the work to a zIIP engine in order to keep the MSU cost of this work to an absolute minimum. This is all done in real time to give you the best data latency possible while not impacting the existing workload on your system.

Has there been any development in this area since then. Is there a native app / forwarder in Splunk to send logs from mainframe to Splunk server.

While not a direct Splunk solution, I came across this information while doing some research: http://www.infosecinc.com/
Quote: "Mainframe Event Acquisition System™ (MEAS™) is designed to help clients collect real-time information pertaining to security events, database related events, transaction processing events and more.

This technology enables mainframe clients to collect, store, report and take action against the event data through integration with SIEM (Security Information and Event Management) and log management technologies. MEASTM is integrated with all popular, commercially available SIEM and log management products.."

If you can write the log files to a shared filesystem like NFS, then a forwarder on a Linux/Windows box could access the log files there.

If you have syslog on the mainframe, or a similar tool that can emit the data over a network port, Splunk can monitor the port.

You could use any other mechanism for transporting the log files from the mainframe to a Linux/Windows box. But be careful; your technique needs to be robust enough to deal with network outages, server restarts, log file rotation etc. It also needs to avoid sending the same data twice. So writing your own script to forward data is not a trivial task.