KB 003 – SAP ABAP – What does the SM20 collector extract from SAP and send to Splunk
ABAP Extractor SM20
Symptom:
What does the SM20 collector extract from SAP and send to Splunk?
The SM20 collector runs every hour.
And executes function module /BNWVS/CL_EXT_SM20.
Prerequisites:
For this collector to work the SAP Audit log must be configured in SAP tcode SM19 and active. If you can see the audit information in SM20 then it will be collected by SAP PowerConnect for Splunkand sent to the Splunkserver.
Fields:
The following fields are sent to Splunk.
These fields map to the ABAP dictionary types available in tcode SM20.
Reports: What reports can I run against this data?
Example1: Recording failed logins.
By running a search query where the login text contains the text “Failed” you can find the number of failed logins per day.
source != audittrail EVENT_TYPE=SM20 ALGTEXT “Logon Failed” | timechart span=1d count by ALGUSER
Drilling down on the raw data show us the IP address from where the user logged in from and their terminal ID.