Jason,
sorry for me being a bit confused ....
If it's true a ML WTO cannot be interrupted, if you need to recognize the
WTO groups try this (the syslog dataset I used is a 137 VBM):
//*-------------------------------------------------------------------*
//* *
//*-------------------------------------------------------------------*
//ST010 EXEC PGM=SORT
//SYSOUT DD SYSOUT=*
//SORTIN DD DISP=SHR,DSN=MYLOG
//SORTOUT DD DSN=&ALL,DISP=(,PASS),
// SPACE=(TRK,(300,300))
//ERROR DD DSN=&ERR,DISP=(,PASS),
// SPACE=(TRK,(300,300))
//SYSIN DD *
OPTION VLSCMP
INREC IFTHEN=(WHEN=GROUP,BEGIN=(33,1,CH,NE,C' '), POS OF FIRST TS BYTE
PUSH=(140:ID=9))
SORT FIELDS=COPY
OUTFIL FNAMES=SORTOUT
OUTFIL FNAMES=ERROR,INCLUDE=(6,137,SS,EQ,C'ERROR')
/*
//*-------------------------------------------------------------------*
//* *
//*-------------------------------------------------------------------*
//ST020 EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DELETE MYLOG.OK
IF MAXCC=8 THEN SET MAXCC=0
/*
//*-------------------------------------------------------------------*
//* *
//*-------------------------------------------------------------------*
//ST004 EXEC PGM=SORT
//SYSOUT DD SYSOUT=*
//ERROR DD DSN=&ERR,DISP=(OLD,DELETE)
//ALL DD DSN=&ALL,DISP=(OLD,DELETE)
//SORTOUT DD DSN=MYLOG.OK,
// DISP=(,CATLG),DATACLAS=UEFSQCMP,
// SPACE=(TRK,(300,300))
//SYSIN DD *
JOINKEYS F1=ERROR,FIELDS=(140,9,A),SORTED
JOINKEYS F2=ALL,FIELDS=(140,9,A),SORTED
REFORMAT FIELDS=(F2:1,137,F2:140,9)
SORT FIELDS=COPY
/*
Now, at position 140, you'll find the 9 bytes zoned group ID.
So, in your sample:
----+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8----+----9----+----0----+----1----+----2----+----3----+----4----+---
N C000000 CUK1 18179 16:07:33.83 00000090 HSAM5400I
HISTO
000000001
N C000000 CUK1 18179 16:07:33.85 00000090 HSAM1003I ARM
R
000000002
S
TYPE=HSAMGR RES 000000002
Actually I use a REXX approach to analyze a small set of messages, if this
will work I'll try to change it.
In my experience SYSLOG dataset (at switch time) can be truncated so
sometimes the very first and last piece of it could contain "remainders"
from the previous day or not the complete infos for the actual one.
Hope this helps.
Max
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Mail
priva di virus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Il giorno lun 20 dic 2021 alle ore 05:58 Jason Cai <[email protected]> ha
scritto:
> Thanks for Martin, Massimo, and Kolusu's help
>
> As Massino mention that a multiline WTO
> cannot be interrupted, we need to handle multiline messages in OPERLOG or
> SYSLOG that cannot be interrupted.
>
> for IBM manul
>
> Each SYSLOG record is prefaced by a two-character record type field.
> Valid first characters are:
> N - single-line message
> W - single-line message with reply
> WTOR messages are not processed by Message Flood Automation.
> M - first line of a multi-line message
> Message Flood Automation can only react to the first line of a multiline
> message, not to any of the label, data or end lines
> L - multi-line message label line
> D - multi-line message data line
> E - multi-line message data/end line
> S - continuation of previous line
> O - LOG command input
> X - non-hardcopy or LOG command source
>
> There are at least three kinds of groups.
>
> 1. N single-line message
> INREC IFTHEN=(WHEN=GROUP,BEGIN=(2,1,CH,EQ,C'N'),
> END=(2,1,CH,EQ,C'N')
> 2. M - first line of a multi-line message
> INREC IFTHEN=(WHEN=GROUP,BEGIN=(2,1,CH,EQ,C'M'),
> END=(2,1,CH,EQ,C'E')
> 3. S - continuation of previous line
> INREC IFTHEN=(WHEN=GROUP,BEGIN=(2,1,CH,EQ,C'N'),
> END=(2,1,CH,EQ,C'S')
>
> for example:
> N C000000 CUK1 18179 16:07:33.83 00000090 HSAM5400I HISTO
> N C000000 CUK1 18179 16:07:33.85 00000090 HSAM1003I ARM R
> S
> TYPE=HSAMGR RES
>
> If we put them together, the output isn't what we need. Please see the
> following statement.
>
> OPTION VLSCMP
> INREC IFTHEN=(WHEN=GROUP,BEGIN=(2,1,CH,EQ,C'M',OR,2,1,CH,EQ,C'N'),
> END=(2,1,CH,EQ,C'E',OR,2,1,CH,EQ,C'S',OR,2,1,CH,EQ,C'N'),
> PUSH=(140:ID=9))
>
> Could you help us to handle multiline messages in syslog by dfsort ?
>
> Any suggestions are greatly appreciated!
>
> Thanks a lot!
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
