zSecure Alert already has a 2-pass capability built into the skeletons. The first pass, the environment pass, is executed once an hour (or whatever you specified as your environment interval). It typically generates CARLa that is executed in the second pass, the reporting pass.
For SMF processing, the generated CARLa would contain stub newlists with a select statement that is generated from CKFREEZE or RACF profile information. The actual alert newlist would refer to the stub using select likelist=stub. Here is an example of an old APF dataset alert.
That means, your skeleton could be something like (I leave it up to you to write the SELECT command correctly):
)CM environment pass
)SEL &C2PEPASS = Y
newlist type=racf nopage
define once(nd) boolean where complex==complex
define every(nd) count
select class=user segment=csdata $somecsdata=:x
summary once,
"newlist type=smf outlim=0 name=user_x",
/ "select user=(,"
summary each profile(0) | ","
summary once,
")",
/ "sortlist recno"
)ENDSEL
This generates CARLa code like
newlist type=smf outlim=0 name=user_x
select user=(,
A,
B,
C,
)
sortlist recno
As stated, this code is executed in the SMF reporting pass, so it sets up an SMF newlist that selects SMF records for the user IDs with the right CSDATA values. You use this stub newlist in the skeleton with
SELECT EVENT=RACINIT(0) likelist=recent likelist=user_x
------------------------------
Rob van Hoboken
------------------------------