Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for z/OS 7.1.

Condition specifications

Condition specifications are optional. They specify the conditions under which a field is valid or is to be formatted. Condition specifications return a value of true or false. The field is formatted only if any specified condition specification returns true.

CAnd

CAnd(condSpecification(…) …)

CAnd returns true only if its subordinate condition specifications all return true.

Operand

Description

condSpecification(…) …

Two or more valid condition specifications

CExt

CExt(intType getSpecification(…) [mask] relationshipType value)

CExt returns true if the specified relationship of the data from the current event record to the value specified is true.

Example

CExt(ULong GBase(8 4) LT 5) returns true if the unsigned 32-bit integer at offset 8 of the current event record is less than 5.

Operand

Description

intType

Integer type from the table Integer Types except UCharUChar and UNiblUNibl

getSpecification(…)

Valid Get specification

If the Get specification is repetitive (such as a GTriplet specifying a triplet with more than one occurrence), only the first occurrence is compared.

mask

Mask to be logically joined with AND to the data in the record before the comparison

The record itself is not modified.

Example

CExt(GBase(8 4) X'400' EQ 0) returns true if the X'400' bit of the unsigned 32-bit integer at offset 8 of the current event record is not set.

If you omit the operand, the data in the record is compared unmodified.

relationshipType

Comparison relationship type from the table in General-type-specifiers-for-definition-statements

value

Value to which the data in the record is to be compared in one of the following two formats:

Format

Description

Extended Numeric Literal

Number using one of the formats described in the Signed extended numeric format section of the "Extended numeric format" topic

String Numeric Literal

String of one to eight characters that are enclosed in single or double quotation marks

The string is converted to EBCDIC binary representation and the resulting value is used for the comparison.

Example

Coding ‘A’ is equivalent to coding 193; coding V8 is equivalent to coding 58872 (X‘E5F8’).

COr

COr(condSpecification(…) …)

COr returns true if any of its subordinate condition specifications return true.

Operand

Description

condSpecification(…) …

Two or more valid condition specifications

CSubTp

CSubTp(relationshipType subtype) or CSubTp(IN|NI subtype ...)

CSubTp returns true if the specified relationship of the subtype of the current event record to the value specified is true. For most SMF record types, the field checked by CSubTp is the true SMF subtype, a 16-bit field at offset 22 (X'16'). For SMF Type 80 records, the subtype is the RACF Event number only (without the qualifier). For ACF2 records, the subtype is the alphabetic subtype at offset 44 (X'2A'). For DB2 SMF records, the subtype is the IFCID number.

Example

CSubTp(GT 2) returns true if the subtype of the current SMF record is greater than 2. For SMF records formatted as without a subtype (byte 4 (SMFxxFLG, bit 1 = 0), the subtype is set to -1.

Operand

Description

relationshipType

Comparison relationship type from the table in General-type-specifiers-for-definition-statements

IN|NI

IN and NI (not in) are not case sensitive; you can use upper, lower, or mixed case. You can specify any number of literals, including zero.

  • IN—For the condition to be true, the event subtype must be equal to one of the literal values coded.
  • NI—For the condition to be true, the event subtype must not be equal to any of the literal values coded.

subtype

SMF record subtype in one of the following formats:

Format

Description

Extended Numeric Literal

Number using one of the formats described in the Signed extended numeric format section of the "Extended numeric format" topic

String Numeric Literal

String of one or two characters that are enclosed in single or double quotation marks

The string is converted to EBCDIC binary representation and the resulting value is used for the comparison.

Example

Specifying A is equivalent to coding 193; specifying V8 is equivalent to coding 58872 (X‘E5F8’).

CSubTpByLoc

CSubTpByLoc(getSpecification (…) relationshipType  subtype) or CSubTpByLoc(IN|NI subtype ...)

(SPE2101)

CSubTpByLoc returns true if the specified relationship of the subtype of the current event record to the value specified is true. This condition is useful when the subtype is NOT located at the standard offset 22 (X'16').

Example

CSubTpByLoc(EQ X‘C3E3’) returns true if the subtype of the current SMF record is X’C3E3’ (that is, ‘CT’).

Operand

Description

getSpecification(…)

Valid Get specification

If the Get specification is repetitive (such as a GTriplet specifying a triplet with more than one occurrence), only the first occurrence is compared.

relationshipType

Comparison relationship type from the table in General-type-specifiers-for-definition-statements

IN|NI

IN and NI (not in) are not case sensitive; you can use upper, lower, or mixed case. You can specify any number of literals, including zero.

  • IN—For the condition to be true, the event subtype must be equal to one of the literal values coded.
  • NI—For the condition to be true, the event subtype must not be equal to any of the literal values coded.

subtype

Record subtype in one of the following formats:

Format

Description

Extended Numeric Literal

Number using one of the formats described in the Signed extended numeric format section of the "Extended numeric format" topic

String Numeric Literal

String of one or two characters that are enclosed in single or double quotation marks

The string is converted to EBCDIC binary representation and the resulting value is used for the comparison.

Example

Coding ‘A’ is equivalent to coding 193; coding V8 is equivalent to coding 58872 (X‘E5F8’).

CSwitch

CSwitch(siemType…)

CSwitch returns true if it matches with the SIEM in effect using OPTIONS SIEMtype(…) statement.

Operand

Description

siemType

One or more of the following SIEM types:

  • RFC3164
  • CEF
  • JSON
  • LEEF
  • SPLunk

To suppress the field for a specific SIEM, specify -siemtype

Example

CSwitch(LEEF) returns true if OPTIONS SIEMtype is LEEF and the field definition will be in use.

CSwitch(-LEEF) indicates that the field definition will be used when the LEEF SIEM type is not in effect.

Related topics

OPTIONS-statement

DEF-and-REDEF-statements

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*