Hi Linnea, What I would do here is have 2 separate queries, one for those that contain 'REASON(' using the fields defined as you show , and another for those without 'REASON(' that uses another defined field that is the text that follows EXECUTE such as def $cmdNoReason as parse(logstr, "EXECUTE")
This Select for your 1st query will be for those with a REASON:
Newlist .... name=query1
def $command as parse(logstr, ") ")
Select logstr=:'REASON('
Sortlist ... $command. ...
Whereas this select for your 2nd query will be for those without a REASON
Newlist .....
def $cmdNoReason as parse(logstr, "EXECUTE")
Exclude logstr=:'REASON(' /* or use: exclude likelist=query1 */
Sortlist ... $cmdNoReason ...
If you need the output records interleaved in same order they came in as, then use MERGELIST. .... ENDMERGE. around the block of the two queries
------------------------------
Simon Dodge
------------------------------
Original Message:
Sent: Tue October 18, 2022 03:07 PM
From: Linnea Sullivan
Subject: Capturing Data from CKGRACF Commands
So the parse works as long as the administrator provides a reason. When the reason is not provided the contents of LOGSTR changes and no data is put in the $REASON or $COMMAND fields.
Examples:
CKGRACF CMD AT 18Oct2022 EXECUTE PERMIT 'RB106.ISPPROF*.**' ID(PWSYN01) DELETE
CKGRACF CMD AT 18Oct2022 EXECUTE REASON('TEST CKGRACF CMD REPORTING') PERMIT 'RB106.ISPPROF*.**' CLASS(DATASET) ID(PWSYN01) ACCESS(READ)
I don't see anyway to parse out a $COMMAND since there is nothing unique to search for in the LOGSTR.
Allow me to look at this from a different angle. With CKXLOGID there are controls on whether to require the Command Logger data. Are there any controls that would require the administrator to provide a reason for a CKGRACF command?
Is this something a RFE might be needed to improve the CKGRACF reporting capabilities?
------------------------------
Linnea Sullivan
Original Message:
Sent: Fri October 07, 2022 10:50 AM
From: Rob van Hoboken
Subject: Capturing Data from CKGRACF Commands
As Jeroen pointed out, the PARSE function can be used if there is a unique leader and a unique terminator of your search target. When the terminator is missing, all data until the end of the field is copied. So you could use these commands to remove the REASON parameter and the quotes and parentheses. You could also find the start of the RACF command, but note that LOGSTR has a limited length so not all parameter of the RACF command may be captured.
def $reason as parse(logstr, "reason('", "') ")
def $command as parse(logstr, "') ")
------------------------------
Rob van Hoboken
------------------------------