Splunk® Security App for SAP® solutions

User Guide

Troubleshoot the Splunk Security App for SAP solutions

Here are some common issues when using the Splunk Security App for SAP® solutions and how to resolve them.

Isolating the component with the problem

The Splunk Security App for SAP solutions relies on the Splunk Security Add-on for SAP solutions for input collection and knowledge management. Ensure you have the correct entitlement and purchased the entitlement to Splunk Security Add-on for SAP solutions.

When troubleshooting, determine whether the issue you are experiencing is related to the app or to the add-on. In general, if your SAP Enterprise Threat Detection (ETD) data is successfully reaching your Splunk platform indexes, the issue is with the app. If data is not reaching your Splunk platform indexes, check for configuration problems with the accounts and inputs handled by the Splunk Security Add-on for SAP solutions.

See Troubleshoot the Splunk Security Add-on for SAP solutions for troubleshooting specific to the add-on.

Dashboards not showing data from custom indexes

If you configure inputs using custom indexes and your dashboard doesn't show data from those indexes, you must update the macros that support dashboard performance to include the custom indexes. To solve this issue, update your local/macros.conf file and specify which indexes the app dashboards searches.

See Configure macros in Splunk Security App for SAP solutions for more information.

Dashboards within the categories section are showing "Triggering Events missing"

Some dashboards and panels in the categories section require data from the Triggering Events within the Alerts. If Triggering Events are turned off in your input stanza, these dashboards might not populate automatically. They show as "Triggering Events missing". To fix this issue, follow these steps:

  1. Open the Splunk Security Add-on for SAP solutions.
  2. Go to the Inputs configuration page.
  3. Select the corresponding input from list, check the Triggering Events box in the pop-up menu, and save the changes.
    Every new Alert ingested will correctly populate those fields.

Dashboards showing fields with "None" value

If the standard fields used by dashboards are not populated with adequate data, contact your SAP Enterprise Threat Detection (ETD) administrator.

Dashboards not showing all categories and patterns

The Splunk Security App for SAP solutions includes a lookup table called sap_etd_alerts_pattern_list.csv. This lookup table populates categories, pattern names, and other fields using searches from the Overview dashboard. The lookup table includes all the built-in categories and pattern names, but if you want to add new or customized patterns, you must update the lookup table manually.

See Configure CSV lookups in the Knowledge Manager Manual.

Last modified on 08 May, 2023
Dashboards included with the Splunk Security App for SAP solutions   New features for the Splunk Security App for SAP solutions

This documentation applies to the following versions of Splunk® Security App for SAP® solutions: 1.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters