KB 034 – Making PowerConnect App compatible with new source type

Making PowerConnect App compatible with new sourcetype

To make BNW-app-powerconnect v4.0.8-2 compatible with sap:abap sourcetype, please follow below steps:

Update macros configuration file

The following need to put the below contents in BNW-app-powerconnect/local/macros.conf file:

Contents of “BNW-app-powerconnect/local/macros.conf”file

[macroConvertSAPSYDAT2time(2)]

args = SDLDATE,SDLSTRTDT

definition = eval SDLDATE=$SDLDATE$.$SDLSTRTDT$ | eval
splunk_JOBSTART = SDLDATE.SDLSTRTDT | eval
splunk_JOBSTART_SHORT=substr(splunk_JOBSTART,0, 4).”-
“.substr(splunk_JOBSTART,5, 2).”-“.substr(splunk_JOBSTART,7, 2).”
“.substr(splunk_JOBSTART,9, 2).”:”.substr(splunk_JOBSTART,11,
2).”:”.substr(splunk_JOBSTART,13, 2)

iseval = 0

[sap-abap]

definition = source!=audittrail AND (sourcetype=sap_abap OR sourcetype=sap:abap*)

iseval = 0

In the above code, the bold part in red is the modification in the existing macro definition.

Rebuild Datamodels

The following three Datamodels need to be rebuilt:

  • SAP_Production_Systems
  • SAP ABAP STAD3
  • SAP ABAP AL08

* In case there is no need to use the already indexed accelerated Data Model, the Data Model can be configured to rebuild from scratch for the specified acceleration period. Data Model can be rebuilt by the following steps:

Follow the below steps:

a. On Splunk’s menu bar, Click on Settings -> Data models
b. From the list for Data models, expand the row by clicking “>” arrow in the first column of the
row for the Data model for which acceleration needs to be rebuild. This willdisplay an extra
Data Model information in “Acceleration” section.
c. From the “Acceleration” section click on “Rebuild” link.
d. Monitor the status of the rebuild in the field “Status” of “Acceleration” section. Reload the
page to get latest rebuild status.

Run lookup saved searches

Run all the look up saved searches (which are suffixed with “-Run Once Only”) once again to fill up lookups with new events

  • Account Instance – Lookup Gen – Run Once Only
  • Account Source – Lookup Gen – Run Once Only
  • Instance – Lookup Gen – Run Once Only
  • Source – Lookup Gen – Run Once Only
  • Tcode Instance – Lookup Gen – Run Once Only
  • Tcode Source – Lookup Gen – Run Once Only
  • Type Instance – Lookup Gen – Run Once Only
  • Type Source – Lookup Gen – Run Once Only

Follow the below steps to rebuild lookups

* Look ups can be rebuilt by the following steps:

a. On Splunk’s menu bar, Click on Settings -> Searches, reports, and alerts
b. In “App context”dropdown, select “SAP PowerConnect for Splunk (BNW-app-
powerconnect)”from the list.
c. Select check box of “Show only objects created in this app context”
d. In the top right search box, enter “-Run Once Only”and click on search icon
e. Above list of look up saved searches should be filtered out.
f. Now for each saved search from the above list, click on “Actions”-> “Run”one by one in
new tabs
g. The saved searches will run with “All Time”time range. In case, you want to update the time
range with some lesser value stop the existing search job, change the time range and run the
search again.

NOTE: Run the saved searches one by one to avoid concurrency issue

Download PDF version here