Data requirements for Splunk Service Intelligence for SAP Solutions
Service Intelligence for SAP Solutions depends on SAP data available in your Splunk instance through PowerConnect for SAP data collector. Prior to monitoring your SAP systems using Service Intelligence for SAP Solutions and Splunk IT Service Intelligence, install SAP PowerConnect for Splunk on the target SAP systems, and ensure SAP data is being ingested into Splunk.
1. Install the SAP PowerConnect for Splunk app
Download and install SAP PowerConnect for Splunk from Splunkbase. For installation steps, see PowerConnect Splunk App Installation.
2. Make a full ITSI backup
Make a full backup of ITSI. For instructions, see Create a full backup of ITSI in the ITSI Administration Manual.
3. Validate your SAP data
Make sure SAP data is flowing into Splunk before you start the setup process, otherwise ITSI doesn't recognize any systems when you try to import them. To verify that SAP data is flowing into your Splunk instance, run the following search and replace the index name with the name of the index you're using:
index=<name> latest=now earliest=-1h | timechart count by source
When you run the search, make sure you see data similar to the following:
4. Verify events are being sent
Run the following Splunk search to verify the correct event types are being sent to your Splunk deployment. Replace the index name with name of the index you're using:
index=<name> EVENT_TYPE=SYSTEM_STATUS EVENT_SUBTYPE=SYSTEM_STATUS latest=now earliest=-24h | stats count by source
Make sure you see data similar to the following. The SAP system SID should be listed in the source column:
5. Set macro permissions
Change the permissions of the PowerConnect for Splunk App macros to Global.
- Within Splunk, go to Settings > Advanced search > Search macros.
- Search for the following macros:
- sap-abap(1)
- sap-java
- sap-index
- If the Sharing column doesn't say Global for either of the macros, click Permissions and select All apps (system) to share the macro globally.
- Click Save.
6. (Optional) Update the index search macro with custom index
To update the index search macro, you have to know the indexes where your SAP data is incoming..
- From Splunk Web, select Settings > Advanced Search > Search Macros.
- Configure the custom index by revising the sap-index macro definition as shown in the table below.
- Select Save.
| Macro Name | Default Macro Definition | Macro Definition with Custom Index |
|---|---|---|
| sap-index | "" | All of the indexes that you're using for SAP data collection combined with OR operators. For example: (index="main" OR index="sample1" OR index="sample2") |
7. Configure lookup table files
- Within Splunk, go to Settings > Lookups > Lookup table files and locate the following lookups:
- sensitive_tcodes.csv
- security_parameters_names.csv
- wide_open_auth_objects.csv
- Change their permissions to Global.
- Within Splunk, go to Settings > Lookups > Lookup definitions and locate the following definitions:
- sensitive_tcodes
- security_parameters_names
- wide_open_auth_objects
- Change their permissions to Global.
As the configure step instructions specify, both lookup definitions and lookup tables need global permissions.
| Release Notes for Splunk Service Intelligence for SAP Solutions | Install Splunk Service Intelligence for SAP Solutions |
This documentation applies to the following versions of Splunk® Service Intelligence for SAP® Solutions: 2.3.0
Download manual
Feedback submitted, thanks!