zSecure Alert ships one sample alert for ACF9CCCD that you could use as a template.
- Copy alert 1301,
- Remove the environment section (&C2PEPASS = Y)
- Change the ACF2 specific SELECT statement into
select msgid=ACF99913
- Use the E line command to go to the alert options, change the data source filter to select message id ACF99913
However, alert 1301 does not print the ACF99913 message, instead it picks up the ACFSTCID and JOB fields from the message.
To print the whole ACF99913 message to Splunk, you will be better off copying an application alert, like 1804.
You could also use SMF reporting to process ACF2 access violations. Alert 2201 would be an adequate starting point.
Find the ACF2 specific SELECT command and change this into
select acf2_subtype=D acf2_descriptor=VIO likelist=recent
------------------------------
Rob van Hoboken
------------------------------