Splunk® Service Intelligence for SAP® Solutions

Service Intelligence for SAP Solutions

Data requirements for Splunk Service Intelligence for SAP Solutions

Service Intelligence for SAP Solutions depends on SAP data available in your Splunk instance through PowerConnect for SAP data collector. Prior to monitoring your SAP systems using Service Intelligence for SAP Solutions and Splunk IT Service Intelligence, install SAP PowerConnect for Splunk on the target SAP systems, and ensure SAP data is being ingested into Splunk.

1. Install the SAP PowerConnect for Splunk app

Download and install SAP PowerConnect for Splunk from Splunkbase. For installation steps, see PowerConnect Splunk App Installation.

2. Make a full ITSI backup

Make a full backup of ITSI. For instructions, see Create a full backup of ITSI in the ITSI Administration Manual.

3. Validate your SAP data

Make sure SAP data is flowing into Splunk before you start the setup process, otherwise ITSI doesn't recognize any systems when you try to import them. To verify that SAP data is flowing into your Splunk instance, run the following search and replace the index name with the name of the index you're using:

index=<name> latest=now earliest=-1h | timechart count by source

When you run the search, make sure you see data similar to the following:

SAPdata.png

4. Verify events are being sent

Run the following Splunk search to verify the correct event types are being sent to your Splunk deployment. Replace the index name with name of the index you're using:

index=<name> EVENT_TYPE=SYSTEM_STATUS EVENT_SUBTYPE=SYSTEM_STATUS latest=now earliest=-24h | stats count by source

Make sure you see data similar to the following. The SAP system SID should be listed in the source column:

SAPevents.png

5. Set macro permissions

Change the permissions of the PowerConnect for Splunk App macros to Global.

  1. Within Splunk, go to Settings > Advanced search > Search macros.
  2. Search for the following macros:
    • sap-abap(1)
    • sap-java
    • sap-index
  3. If the Sharing column doesn't say Global for either of the macros, click Permissions and select All apps (system) to share the macro globally.
  4. Click Save.

6. (Optional) Update the index search macro with custom index

To update the index search macro, you have to know the indexes where your SAP data is incoming..

  1. From Splunk Web, select Settings > Advanced Search > Search Macros.
  2. Configure the custom index by revising the sap-index macro definition as shown in the table below.
  3. Select Save.
  4. Macro Name Default Macro Definition Macro Definition with Custom Index
    sap-index "" All of the indexes that you're using for SAP data collection combined with OR operators.

    For example: (index="main" OR index="sample1" OR index="sample2")

7. Configure lookup table files

  1. Within Splunk, go to Settings > Lookups > Lookup table files and locate the following lookups:
    • sensitive_tcodes.csv
    • security_parameters_names.csv
    • wide_open_auth_objects.csv
  2. Change their permissions to Global.
  3. Within Splunk, go to Settings > Lookups > Lookup definitions and locate the following definitions:
    • sensitive_tcodes
    • security_parameters_names
    • wide_open_auth_objects
  4. Change their permissions to Global.

As the configure step instructions specify, both lookup definitions and lookup tables need global permissions.

Last modified on 14 August, 2024
Release Notes for Splunk Service Intelligence for SAP Solutions   Install Splunk Service Intelligence for SAP Solutions

This documentation applies to the following versions of Splunk® Service Intelligence for SAP® Solutions: 2.3.0, 2.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters