DEF and REDEF statements

DEF and REDEF define and redefine a field with the following syntax:

DEF|REDEF name tag context( [CEF(tag)] [TAGSUBst(REP)] ) FormatSpecification(…) GetSpecification(…) [CondSpecification(…)] [DESC(description)]

The following table summarizes the required statements:

Statement

Descriptions

DEF

REDEF

Must be specified as the following:

  • If you code a DEF statement that attempts to define a field that has already been defined, it is an error.
  • If you code a REDEF statement that attempts to redefine a field that has not previously been defined, it is a warning condition.

name

Specifies the name of this field. The name is required and, within the specified context, must be unique (for DEF) or should be previously defined (for REDEF). Specify one to twenty alphanumeric characters.

context

Specifies the type of event to which the field applies. Specify a context specified in a preceding TYPE or RETYPE statement, or one of the contexts in the following table. This operand is required.

Context

Description

SMF_Common

Context for Fields that are common to all SMF record types.

Test_Event

For BMC internal use only.

Universal

Context for Fields that are common to all event types.

tag

Specifies the tag that is used to identify the data in the syslog messages. Specify zero to 22 alphanumeric characters. Tag is required to specify a null tag, code '' or "" (two adjacent quotation marks).

If you specify TAGSUBst, then the tag might contain a substitution specifier. A substitution specifier begins with a % character and has the format %[flags][width][.precision]%|o|u|x|X.

For a complete discussion of substitution specifiers, see the IBM Knowledge Center. The following is a description of the most common values:

Note

The specifiers are case sensitive.

  • % is required.

  • flags: 0 indicates leading zeros if necessary to achieve width characters.

    Note

    If you do not specify 0, then any width is made up by padding on the left with blanks.

  • width: Specifies a minimum number of characters for the formatted value. Width defaults to 1.
  • % indicates a literal % character. You must omit the optional components and simply specify %%.
  • o indicates octal substitution. The substitution value is converted to its octal representation.
  • u indicates decimal substitution. The substitution value is converted to its decimal representation.
  • x and X indicate hexadecimal substitution. The substitution value is converted to its hexadecimal representation. x uses the characters a-f; X uses the characters A-F. OPTions TAGCase(Initial or Lower) forces X to x; TAGCase(Upper) forces x to X.

The tag as specified, including any substitution specifier, might not exceed 22 characters. The tag after substitution might not exceed 40 characters. If you code an invalid format code, the result is not defined but generally no corresponding output is produced: a format code of %z is formatted as the empty string.

Examples of tag substitution are as following:

Tag as specified

Substituted value

Tag as formatted

Notes

Line%u

12

Line12

 

Line%u

1

Line1

 

Line%2u

5

Line 5

Note embedded blank that is probably not desirable.

Line%02u

7

Line07

Note leading zero instead of blanks.

Line%02u

123

Line123

Digits are never lost even if specified width is exceeded.

Line-%x

10

Line-a

Note lowercase a.

Line%4X

26

Line001A

Note padding and uppercase a.

Ratio%u%%

5

Ratio5%

Note literal %.

ARRAY()

Specifies that the field is to be formatted as an array. An array has a single tag and zero or more values contained between square braces.

CEF(ceftag)

Specifies the tag that is used to identify the data in syslog messages if OPTIONS SIEMTYPE(CEF). Specify one of the extension names in the CEF documentation. If you specify one of the custom CEF fields such as cs1, then the field tag becomes the custom field label (cs1Label=tag). CEF(ceftag) is optional; if you omit it, then the field is a non-CEF field and is included in the msg= portion of the CEF extension when SIEMTYPE(CEF).

NOPARM()

Specifies that the field is an internal field and might not be coded in the FIELD() parameter of an EVENT or SMF statement. NOPARM is set automatically if the Get Specification is GFlist, but not if the Get Specification calls GFlist indirectly, such as, GTriplet(GFlist(… or GIfElse(… GFlist …

TAGSUBst(REP)

Specifies that the field’s tag might contain substitution specifiers, and that the repetition number of the field is to be substituted for the substitution specifier. For fields based on a Get Specification that provides potential field or section repetition, such as GArray, GIndexed and GTriplet, the repetition number is a positive integer that starts at 1 for the first section or data and is incremented by 1 for each repetition of the section or data. The repetition number is always 1 for fields based on a Get Specification that does not provide repetition. If you specify TAGSUBst with a tag that does not include a substitution specifier, then there is no harm other than a slight increase in overhead; if you omit TAGSUBst with a tag that includes a substitution specifier, then no substitution is performed and the substitution specifier appears literally in the formatted tag.

FormatSpecification(…)

Specifies the name of a Format Specification, and the parameters for that Format Specification. The Format Specification specifies how the field is to be formatted.

Example

FInt(UShort) specifies that the field is to be formatted as an unsigned short integer.

FormatSpecification is required.

GetSpecification(…)

Specifies the name of a Get Specification and its parameters

Get Specification specifies where the field data is to be located. For example, GBase(22 4) specifies that the field is in the base portion of the SMF record at displacement 22 and is four bytes long.

The Get Specification is required.

ConditionSpecification(…)

Specifies the name of a Condition Specification as listed, and the parameters for that Condition Specification. The Condition Specification specifies under what conditions the field is present in the Event record.

Example

CSubTp(EQ 10) specifies that the field is only present when the record subtype is 10.

The Condition Specification is optional; if no Condition Specification is specified then BMC AMI Defender for z/OS attempts to format the field for every event of context type.

DESC(description)

Specifies an optional description for the field. This field serves only as documentation. It must be syntactically valid but is not processed or stored by BMC AMI Defender for z/OS in any way.

This section contains the following topics : 

Related topic

Field-definition-file-statements

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*