KB 004 – SAP ABAP – What does the SM04 collector extract from SAP and send to Splunk

ABAP Extractor SM04

Symptom:

What does the SM04 collector extract from SAP and send to Splunk
The SM04 collector runs every hour
And executes function module /BNWVS/CL_EXT_SM04

Prerequisites:

None.

Fields:

The following fields are sent to Splunk.

These fields map to the ABAP dictionary types available in tcode SM20.

Reports: What reports can I run against this data?
Example1: Reporting the number of users logged in
source!=audittrail EVENT_TYPE=SM04 EXT_TYPE!=”” | fields _time EXT_TYPE| dedup _time EXT_TYPE | JOIN type=outer _time EXT_TYPE [ SEARCH source!=audittrail (sourcetype=SM04 OR EVENT_TYPE=SM04) EXT_TYPE!=”” | stats dc(BNAME) as splunk_no_of_user by _time EXT_TYPE ] | fillnull value=0 splunk_no_of_user | timechart max(splunk_no_of_user) as “No of users” by EXT_TYPE

Reporting the number of users logged in

Example2: Reporting the number of users and their SAPGui version in use
source != audittrail EVENT_TYPE=SM04 EXT_TYPE=gui | stats count by GUIVERSION

Reporting the number of users and their SAPGui version in use

Download PDF version here