Get specifications returns the address and length of a field value. Some Get specifications, especially the triplet type specifications, return multiple instances of a field, if appropriate, for instance, if the triplet indicates multiple repetitions. For some Format specifications, such as FInt, ignore the length returned by the Get specification. Some Format specifications, such as FChar, typically specify their own maximum length.
| |
|---|
| GApf(GetDSNSpec(...) [GetVolserSpec(...)]) | GApf returns the address of a one-byte field that contains x'80', if the named data set is APF-authorized else X'00'. See Duplicate data set names and false positives and Other limitations for a discussion of the limitations of APF status enrichment. You would use GApf normally with FBool, as in the following instance: Example DEF SMF14JFCBDSNM_APF APF SMF_T14() FBool(UChar 0x80) + GApf(GBase(68 44)) |
|---|
| Specifies the location in the record of the data set name. Specify any valid Get specification except GNull. The data must either be 44 or more bytes in length, left-justified and blank-padded, or GetDSNSpec must be able to return the exact data set name length. This operand is required. |
|---|
GetVolserSpec(...) | Specifies the location in the record of the volume serial. Specify any valid Get specification except GNull. The data is assumed to be six bytes in length. This operand is optional. If you omit GetVolserSpec, then GApf returns x'80' if any APF-authorized data set with a matching name is found. |
|---|
|
| GArray(count_format GetCountSpec(...) GetFirstElementSpec(...) displacement length) | GArray returns the address of a field in each element of an array. The array elements are assumed to be of fixed-length. |
|---|
| Specifies the format of the count of elements in the array. Specify any of the integer types from the table Integer Types except UCharUChar and UNiblUNibl. (For GConst code LongLong.) This operand is required. |
|---|
| Specifies the location in the record of the count of elements. Specify any valid Get specification except GNull (including GConst if appropriate). This operand is required. |
|---|
| Specifies the location in the record of the first element of the array. Specify any valid Get specification except GNull. This operand is required. |
|---|
| Specify the displacement of the field in each array element relative to zero. This operand is required. |
|---|
| Specify the length of each element of the array. Specify a positive integer between 1–32767. This operand is required. |
|---|
|
| GBase(displacement [length]) | The GBase specification returns the address and length of a value in the base of the Event record. |
|---|
| Specify the displacement of the value relative to zero and including the record control word (llbb). Offset 5, for instance, is the SMF record type field. This is the offset usually given in SMF record documentation and assembly listings. This operand is required. |
|---|
| Specify the length of the value. This operand is optional. If you omit length, it defaults to the length of the remainder of the record beyond the displacement specified. |
|---|
|
| GCICSmonData(class displacement length) | GCICSmonData returns the address and length of fields referenced by an offset into a Performance, Exception or Resource data record of a CICS Monitor Subtype 1 data record. |
|---|
| Is PERFormance, EXCEPT or RESource, indicating the type of data record. Do not use PERFormance; instead use the GCICSmonPerf specification. |
|---|
| Specifies the displacement, base zero, of the field in the data record. This operand is required. |
|---|
| Specify the length of the value. This operand is required. |
|---|
|
| GCICSmonPerf([fieldname] [offset]) | GCICSmonPerf returns the address and length of a CICS Monitoring Performance field. |
|---|
| Is the IBM name of a performance field. This operand is optional; if omitted, it defaults to the name of the BMC AMI Defender for z/OS field (the name specified in DEF fieldname … GCICSmonPerf()). |
|---|
| Is an offset in the range -32767 to +32767, of the data relative to the named field. This operand is optional; if omitted, it defaults to zero. |
|---|
|
| GCICSmonTriplet(offset_of_triplet displacement length) | GCICSmonTriplet returns the address and length of fields in a section pointed to by a CICS performance data record triplet. SMF triplets are documented in the IBM documentation about SMF. GCICSmonTriplet should only be used for the Transaction Resource ID triplet and not for triplets with a repetition count other than one (or zero). |
|---|
| The offset of the pointer triplet in the current performance data record. This operand is required. |
|---|
| Specifies the displacement, base zero, of the field in the section. This operand is required. |
|---|
| Specify the length of the value. This operand is required. |
|---|
|
| GCICSresSect(class displacement length) | GCICSresSect returns the address and length of fields referenced by an offset into a File, TSQueue, or DPL section of a CICS Monitor Resource (Class 5) data record. |
|---|
| Is FILE, TSQueue, or DPL, indicating the type of section. |
|---|
| Specifies the displacement, base zero, of the field in the section. This operand is required |
|---|
| Specify the length of the value. This operand is required. |
|---|
|
| GCompute(FormatLeft GetLeft(…) Operation FormatRight GetRight(…)) | The GCompute Specification returns the address and length of a signed 64-bit integer computed as specified. |
|---|
| Specifies the format of the left-hand operand. Specify any of the integer types from the preceding table Integer Types except UCharUChar and UNiblUNibl. (For the result of GConst or GCompute code LongLong.) This operand is required. |
|---|
| Specifies the location of the left-hand operand. Specify any valid Get specification except GNull. This operand is required. |
|---|
| Specifies the arithmetic operation to be performed. For instance, specifies that the right-hand operand is to be subtracted from the left-hand operand. Specify any of the operators from the preceding table Arithmetic Operator Types. |
|---|
| Specifies the format of the right-hand operand. Specify any of the integer types from the preceding table Integer Types except UCharUChar and UNiblUNibl. (For the result of GConst or GCompute code LongLong.) This operand is required. |
|---|
| Specifies the location of the right-hand operand. Specify any valid Get specification except GNull. You require this operand. |
|---|
|
| GConst(integer) GConst(“char string”) | The GConst specification returns the address and length of some constant value, independent of the current Event record. The value might be a signed 64-bit integer or a character string up to 32 characters in length. |
|---|
| A constant integer to be returned. Code an integer between the minimum and the maximum 64-bit signed integer, approximately +/- 18 * 1018. |
|---|
| A 0–32 character string, enclosed in quotes. |
|---|
|
| | The GCPUtime specification returns the address of an unsigned 32-bit integer representing the CPU time used by BMC AMI Defender for z/OS expressed as microseconds divided by a specified divisor. GCPUtime takes no parameters. |
|---|
| Specifies a CPU time divisor. This operand is required. Example Specifying 1 causes GCPUtime to return the CPU time in microseconds. Specifying 1000 causes GCPUtime to return the CPU time in millisecond. |
|---|
|
| GDB2hdr(header_type displacement [length]) | The GDB2hdr Specification returns the address of a field in a DB2 SMF header. |
|---|
| Code the type number of a DB2 header such as 1, 2, 4, 8, 16 or 32. This operand is required. |
|---|
| Specifies the displacement, base zero, of the field in the specified header. This operand is required. |
|---|
| Specifies the length of the data field. This operand is optional; if you omit, GDB2hdr returns the length from displacement to the end of the header. If you code length and displacement plus length is greater than the length of the header, then the field is treated as not addressable. |
|---|
|
| GExt14(section_type displacement length) | Returns SMF 14/15 Section Data |
|---|
| The SMF 14/15 Extended Information Segment section type. This is a number from 1 to 9. 1 COMPRESSED FORMAT D/S
2 SMS CLASS INFORMATION
3 STEP INFORMATION
4 ANSI VERSION 4 CCSID
5 ADDTIONAL DATA SET CHARACTERISTICS
6 PDSE STATISTICS
7 KEK LABEL DATA FOR TAPE HARDWARE ENCRYPTION
8 RAS
9 DASD Data Set Encryption |
|---|
| The offset within the Extended Information Segment. This offset must include the offset for the 4 byte segment prefix. The first field in the segment begins at offset 4. |
|---|
| Length of the fixed-length SMF 14/15 field. |
|---|
|
| GFList(displacement length) | |
|---|
| Specifies the displacement, base zero, of the field in from the address returned by the FFlist field’s GET Specification. This operand is required. |
|---|
| Specifies the length of the field. This operand is required. |
|---|
|
| GIfElse(CondSpecification(…) GetSpecificationA(…) GetSpecificationB(…)) | The GIfElse specification returns the result of either of two Get specifications depending on whether the result of a specified Condition Specification is true or false. |
|---|
| Specifies the name of a Condition specification, and the parameters for that Condition specification. The Condition specification specifies a condition to be tested to determine which of the two Get specifications to invoke. This operand is required. |
|---|
GetSpecificationA(…) GetSpecificationB(…) | Specifies the names of two Get specifications and the parameters for those Get specifications. The first Get specification specifies where the field data is to be located if the condition is true, and the second Get specification specifies where the field data is to be located if the condition is false. This operand is required. |
|---|
|
| GIndexed(GetSpecification(…) int_fmt GetSpecificationIndex(...) [int_fmtn GetSpecificationIndexn(...) ...]) | TheGIndexed specification returns the address and length of a field located an offset beyond the address returned by the primary Get specification. You can specify a single offset, or multiple offsets that are to be added together. |
|---|
| Specifies the name of a Get specification and the parameters for that Get specification. The Get specification specifies the location and length of the data, assuming an index of zero. This operand is required. |
|---|
| The format of the index. Specify any of the integer types from the table Integer Types except UCharUChar and UNiblUNibl. This operand is required. |
|---|
| Specifies the name of a Get specification and the parameters for that Get specification. The Get specification specifies the location and length of the index. This operand is required. |
|---|
| The format of the next index. Specify any of the integer types from the table Integer Types except UCharUChar and UNiblUNibl. This operand is required. |
|---|
GetSpecificationIndexn(…) | Specifies the name of a Get specification and the parameters for that Get specification. The Get specification specifies the location and length of the next index. This operand is required. |
|---|
|
| | The GInternal specification returns the address and length of data that is internal to BMC AMI Defender for z/OS ,that is, not part of an event record. |
|---|
| The label assigned to the internal data. The label is case-insensitive: HOST_SAF, Host_SAF and host_saf are equivalent. This operand is required. Specify one of the following labels: | |
|---|
| The event subtype as determined by BMC AMI Defender for z/OS, suitable for formatting with FInt(Long). This field is generally the same value as SMFXXSTY, but differs for events such as DB2 and SMF 90 that have subtypes in a non-standard location. BMC AMI Defender for z/OS assigns a subtype of -1 to events without a defined subtype. | | The CPU ID (CPU serial number) as 12 printable characters. | | The TCP/IP hostname as a character field of unknown length, suitable for formatting with FCstring. | | The primary IPv4 address of the TCP/IP stack as a character field of unknown length, suitable for formatting with FCstring. | | The primary IPv6 address of the TCP/IP stack of unknown length, suitable for formatting with FCstring. | | The JES node name as a character field of 8 characters. | | The LPAR name as a character field of 8 characters. | | The LPAR security subsystem type, expressed as an integer suitable for formatting with FInt(UChar): 0 = None, 1 = RACF, 2 = CA ACF2, 3 = CA Top Secret (TSS) | | The LPAR security subsystem type, expressed as text of unknown length, suitable for formatting with FCstring: None, RACF, ACF2 or TSS. | | The SMF ID of the LPAR as a character field of 4 characters. | | The system name (&SYSNAME as defined in the IEASYSxx or IEASYMxx parmlib member) as a character field of 8 characters. | | The name of the z/OS installation exit or API from which the event record was received: API1, IEFU83, IEFU84, IEFU85 or IEFU86, as a character field of unknown length, suitable for formatting with FCstring.. | | The RFC3164 facility expressed as a number between 0–23, suitable for formatting with FInt(Long). See Syslog Facilities and Severities in BMC AMI Defender documentation. | | The RFC3164 facility expressed as a character string of unknown length, suitable for formatting with FInt(Long). See Syslog Facilities and Severities in BMC AMI Defender documentation. | | The RFC3164 severity expressed as a number between 0–7, suitable for formatting with FInt(Long). See Syslog Facilities and Severities in BMC AMI Defender documentation. | | The RFC3164 severity expressed as a character string. See Syslog Facilities and Severities in BMC AMI Defender documentation | | Member name of current parameter file, expressed as a character field of unknown length, suitable for formatting with FCstring. | | SIEM Type: RFC3164, CEF, Splunk, LEEF, DAM/DAMVISualizer or JSON, expressed as a character field of unknown length, suitable for formatting with FCstring. | | BMC AMI Defender for z/OS version in format v.r.m as a character field of 6 bytes. (The length is subject to change in future releases of BMC AMI Defender for z/OS. |
|
|---|
|
| GIPAdj(GetSpecification(…)) | The GIPAdj specification returns an IP address in character form that has been adjusted so that it is a proper IPv4 address. An IPv6 address that cannot be converted to an IPv4 address is returned as 255.255.255.255. |
|---|
| Specifies the names of a Get specification and the parameters for that Get specification. The Get specification specifies where the IP address data in character form is located. This operand is required. |
|---|
|
| | The GNull specification is a special Get specification that might be used with Format Specifications such as FFlist that do not require a field value address. GNull always returns an address and length of zero. GNull takes no parameters. |
|---|
|
| GOffset(GetSpecification(…) displacement length_adjustment) | The GOffset specification returns the address and length of a field value that consists of a 16-bit displacement in a variable section that points to a 16-bit length followed by the actual value. |
|---|
| Specifies the name of a Get specification and the parameters for that Get specification. The Get specification specifies the location of the Event record segment containing the pointer, length, and data. This operand is required. |
|---|
| Specifies the offset of the displacement pointer from the address returned by the Get specification, base 0. This operand is required. |
|---|
| Specifies any adjustment to be made to the length value in the record. Example Some length values include their own size, so a length_adjustment of -2 would be appropriate. This operand is required. |
|---|
|
| GOffsetBase(offset_of_pointer offset_of_data [length]) | The GOffsetBase specification returns the address and length of a field value that is some fixed displacement into a structure pointed to by a 16-bit displacement in the base section of an Event record. |
|---|
| Specifies the offset, base zero, into the base of an Event record, of a 16-bit displacement to the structure containing the field value. This operand is required. |
|---|
| Specifies the offset, base zero, of the data value into the structure pointed to by the displacement value. This operand is required. |
|---|
| Specifies the length of the field. This operand is optional. If you omit, then the length of the data must be known by the Format Specification. |
|---|
|
| GPreamble(displacement length) | The GPreamble specification returns the address and length of a value in the base of the preamble for an SMF record or API 1 event. The preamble has a BMC-defined format and is subject to change. |
|---|
| Specify the displacement of the value relative to zero and including the record control word (llbb). This operand is required. |
|---|
| Specify the length of the value. You require this operand. |
|---|
|
| | If the field type is coded as ESC or omitted, GPriv returns a 1-byte code indicating the privilege status of the SMF enrichment user ID. GPriv takes no operands. See Privilege Escalation Detection in BMC AMI Defender documentation. The code values are as follows: | |
|---|
| Not a privileged user. Because the value is blank, it would normally suppress and not be transmitted (assuming OPTions FORMAT(ERGO). | | Escalated privileges. This user ID was last seen as unprivileged or with lesser privileges, but now has escalated. | | Known privileged user. This user ID has been seen before, and the last time it was seen, it had the same privileges as currently seen. | | New privileged user. This is the first time this user ID is seen in the current execution of BMC AMI Defender for z/OS, and the user is privileged. |
|
|---|
| If the field type is coded as CHG then GPriv returns a 32-bit unsigned integer, the low-order, 8 bits of which correspond to the escalation change in ACEEFLG1 (and zero if no escalation has occurred). Example If the escalation were from not SPECIAL to SPECIAL, the returned integer is X'00000080'. |
|---|
|
| GRelo(type_number displacement) | The GRelo specification returns the address and length of data in a RACF relocate section. Relocate sections are documented in the IBM z/OS Security Server RACF Macros and Interfaces Manual. |
|---|
| Specifies the relocate section type number. You might specify a non-extended length relocate section (type numbers less than 256) or an extended-length relocate section (type numbers 256 and above). Code a number between 1–999. (As of RACF V2R1 the maximum IBM-defined Extended Relocate type is 429.) This operand is required. |
|---|
| Specifies the displacement, base zero, of the field in the relocate section. This operand is required. |
|---|
|
| GRept(GetSpecification(…) length_each [max_count]) | The GRept specification returns the address and length of a field or set of fields that repeat within a section. The section might occur once or multiple times (such as GRelo, GTriplet). The addressed data might be a single field or multiple fields to be formatted with FFlist. |
|---|
| Specifies the name of a Get specification and the parameters for that Get specification. The Get specification specifies the location of the first element of the repeating data. This operand is required. |
|---|
| Specifies the length of each field or set of fields in the series of repetitions. This operand is required. |
|---|
| Specifies the maximum number of repetitions per section. Code a number between 1–65535. This operand is optional; if you omit, it defaults to unlimited, and the number of fields or sets of fields is limited only by the length of the containing section. |
|---|
|
| | GTime returns an 8-byte STCK (store clock) value corresponding to the current hardware clock time. GTime takes no operands. The non-extended hardware clock will wrap to zero on 17-Sep-2042; consider using GTimeE() instead. |
|---|
|
| | GTimeE returns a 16-byte STCKE (store clock extended) value corresponding to the current hardware clock time. GTimeE takes no operands. |
|---|
|
| GTriplet(offset_of_triplet|GetSpecTriplet(…) displacement [OCCURrence(occurrence)]) | GTriplet returns the address and length of fields in one or more Event record sections pointed to by a triplet of a non-DB2 Event record. SMF triplets are documented in the IBM Manual System Management Facilities. |
|---|
| The offset of the pointer triplet in the base of the Event record. Specify a number in Signed Extended Numeric Format between the minimum and maximum permitted triplet offsets for the event (See TYPE-and-RETYPE-statements). You require either offset_of_triplet or GetSpecTriplet(…). |
|---|
| Code a Get specification for the location of the triplet. Specify any valid Get specification except GNull. Any length returned by the Get Specification is ignored; a triplet length of 8 is assumed. You require either offset_of_triplet or GetSpecTriplet(…). |
|---|
| Specifies the displacement, base zero, of the field in the section. This operand is required. |
|---|
| Specifies that GTriplet is to return only a single specified occurrence of the triplet record sections. Specify an occurrence number between 1–32767 inclusive. If the specified number is greater than the number of occurrences indicated by the triplet in the record, then GTriplet returns not present for the field. This operand is optional; if you omit OCCURrence then all occurrences are returned in succession. |
|---|
|
| GTripletArray(offset_of_triplet displacement) | GTripletArray returns the address and length of the elements of an array of fields in an Event record sections pointed to by a triplet, other than in a DB2 SMF record. Each entry in the array is assumed to be preceded by a half-word length of the entry. SMF triplets are documented in the IBM documentation. |
|---|
| The offset of the pointer triplet in the base of the Event record. This operand is required. |
|---|
| Specifies the displacement, base zero, of the first field of the array in the section. This operand is required. |
|---|
|
| GTripletDB2(offset_of_triplet displacement [length [length_adjust]]) GTripletDB2First(offset_of_triplet displacement [length [length_adjust]) | GTripletDB2 returns the address and length of fields in one or more SMF record sections pointed to by a triplet of a Db2 SMF record. DB2 SMF triplets are documented in IBM documentation. Example DB2 10 for z/OS Managing Performance. GTripletDB2First is identical to GTripletDB2 but only returns the first instance of the field. |
|---|
| The offset of the pointer triplet in the base of the Event record. This operand is required. |
|---|
| Specifies the displacement, base zero, of the field in the section. This operand is required. |
|---|
| Specifies the length of the field. This operand is optional. If you omit, then the length of the data must be known by the Format specification. If you are coding length only as a placeholder for length_adjust, then code 32767. |
|---|
| Specifies — for Db2 variable-length segments where the length in the triplet is zero—any adjustment to be made to the length value in the record. For instance, some length values include their own size, so a length_adjustment of -2 would be appropriate. This operand is optional. If you omit, it defaults to zero, that is, the length in the length value is the exact length of the data without the length field. |
|---|
|
| GTripletXLen(offset_of_triplet displacement_of_length displacement_of_field [length_adjustment]) | GTripletXLen returns the address and length of a field with an explicit length in an Event record section pointed to by a triplet. Compare GXlen, that is more flexible in its specification. |
|---|
| The offset of the pointer triplet in the base of the Event record. This operand is required. |
|---|
| Specifies the displacement, base zero, of the length halfword in the section. This operand is required. |
|---|
| Specifies the displacement, base zero, of the field in the section. This operand is required. |
|---|
| Specifies an adjustment to be applied to the length to obtain the actual length of the field. This operand is optional. If you omit, the length in the Event record is used directly as the length of the field. |
|---|
|
| GTwoLoc(GetSection(…) displacement_of_fixed length displacement_of_pointer) | GTwoLoc is used to get the address and length of a field that is present in one or possibly two locations in an Event record: a fixed-length field, and a variable-length field that is populated if the data is longer than the fixed-length field. Compare GXlen that is not limited to triplet-located data. |
|---|
| Specifies the name of a Get Specification and the parameters for that Get specification. The Get specification specifies the location of the Event record segment containing the length and data fields. GetSection would typically be GBase or GTripletDB2. This operand is required. |
|---|
| Specifies the displacement, base zero, of the fixed-length field. This operand is required. |
|---|
| Specifies the length of the fixed-length field. This operand is required. |
|---|
| Specifies the displacement, base zero, of a 16-bit pointer containing the offset from the base of the section to the variable-length field. Displacement is assumed to begin with a 16-bit length field preceding the actual data. This operand is required. |
|---|
|
| GXLen(GetSpecificationOffset(...) int_fmt GetSpecificationLength(...) [length_adjustment]) | GXLen returns the address and length of a field with an explicit length in any part of the event record. The length returned is the lesser of the length returned by GetSpecificationOffset or the explicit length field, adjusted as specified. Compare GTripletXlen that might be more efficient or easier to use if the data and the length are located in a triplet-located section. |
|---|
GetSpecificationOffset(…) | Specifies the name of a Get Specification that specifies the offset or location of the data field and the parameters for that Get specification. This operand is required. |
|---|
| The format of the index. Specify any of the integer types from the Integer Types table preceding this except UCharUChar and UNiblUNibl. This operand is required. |
|---|
GetSpecificationLength(…) | Specifies the name of a Get specification that specifies the offset or location of the explicit length field and the parameters for that Get specification. This operand is required. |
|---|
| Specifies an adjustment to be applied to the length to obtain the actual length of the field. This operand is optional. If you omit, then the length in the Event record is used directly as the length of the field. |
|---|
|