FILTER command

The filter criteria are used to limit the amount of data collected in the in-memory buffers for further processing. By using the FILTER command, it is possible to eliminate unused events early in the process, thus increasing the overall efficiency. If there are no SMF and WTO filter criteria specified, all SMF records and WTO messages are collected for further processing. To avoid this situation, the zSecure Alert User Interface will generate dummy filters, that do not match any event. The FILTER command has the following syntax:

Filter

Read syntax diagramSkip visual syntax diagramaddsmf(rectype( rectype)allsubtypesubtype( subtype)nosubtype)delsmf(rectype( rectype) )addwto(prefix( prefix-chars))delwto(prefix( prefix-chars))
The following section describes the possible keywords and parameters.
ADDSMF
Specifies the additional filter criterion to be used for SMF-records. You can repeat the FILTER command to specify as many filter criteria as you need. The criterion you specify is added to the already active criteria. The SMF-record type to be selected is specified by the rectype and subtype parameters. The available suboptions are:
Allsubtype
Specifies that all SMF-record subtypes are included in the record filter (default). This specification can also be interpreted as the absence of any filtering on subtype. Subtypes are used for only SMF-record types 30, 80, 92, and ACF2. For all other SMF-record types, the subtype specification is ignored.
Rectype
Specifies the SMF-record type that must be selected or that must no longer be selected. The rectype parameter must have a numeric value 0 - 2047, or the value ACF2 to specify records generated by ACF2.
Subtype
Specifies the SMF-record subtype that must be selected. The subtype is only used for SMF-record types 30, 80, 92, and ACF2. For all other SMF-record types, the subtype is ignored. The value of subtype must be numeric or a single alphabetic character. The subtype is interpreted as follows:
Rectype 30
The subtype is the standard SMF-record subtype. Although currently SMF-Record type 30 only has defined subtypes 1 to 5, the range accepted by zSecure Alert is 1 - 8.
Rectype 80
The subtype is the RACF® event code. For a complete list of RACF event codes, see RACF Auditor's guide. The range of values accepted by zSecure Alert is 1 - 255.
Rectype 92
The subtype is the standard SMF-record subtype. Although SMF-Record type 92 currently has defined only subtypes 1 - 17, the range accepted by zSecure Alert is 1 - 255.
Rectype ACF2
The subtype is the ACF2 record type. For a complete list of ACF2 subtypes, see zSecure CARLa SELECT/LIST Fields; see the ACF2_SUBTYPE field in NEWLIST TYPE=SMF.
Nosubtype
Specifies that the SMF-record subtype, as described previously for the Subtype keyword, must not be used as a selection criterion. Use of this keyword resets all subtypes previously specified for the indicated rectype.
DELSMF
Specifies that you no longer want the specified SMF-record type to be selected. The SMF-record type is identified by the rectype parameter only. It is not possible to deactivate SMF-record selection per subtype.
ADDWTO
Specifies the filter criteria used for the WTO-messages. You can specify up to 24 different filter criteria. Although you can specify message prefixes starting with C2P, most of the C2P messages are not captured. Only messages C2P0100, C2P0335, and the range C2P0900 to C2P0999 can be captured and used to trigger alerts.
DELWTO
Specifies that you no longer want WTO message selection to occur for messages starting with prefix-chars.
Prefix
Specifies the first characters of the WTO message identifier. If you want to include all ICH messages, simply specify ICH. If you only want to include ICH408I messages, specify the full seven (7) characters of the message identifier. The maximum length of the message prefix is eight (8) characters. The minimum length is one (1) character.