Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues Indexing SAP System Log (SM21)

SPLAUR
Engager
‎07-07-2025 09:10 AM

Dear splunk community,

After successfully implementing the input from @afx :

"How to Splunk the SAP Security Audit Log"

I was encouraged to implement the SAP system log (SM21) on my own.

So far, I have managed to send the log to SPLUNK, but given the log's encoding system, I am unable to process it correctly in SPLUNK.

Most likely, my error lies in the transforms.conf or props.conf.

 props.conf

[sap:systemlog]
category = Custom
REPORT-SYS = REPORT-SYS

EXTRACT-fields = ^(?<Prefix>.{3})(?<Date>.{8})(?<Time>.{6})(?<Code>\w\w)(?<Field1>.{5})(?<Field2>.{2})(?<Field3>.{3})(?<Field4>.)(?<Field5>.)(?<Field6>.{8})(?<Field7>.{12})(?<Field8>.{20})(?<Field9>.{40})(?<Field10>.{3})(?<Field11>.)(?<Field12>.{64})(?<Field13>.{20})

LOOKUP-auto_sm21 = sm21 message_id AS message_id OUTPUTNEW area AS area subid AS subid ps_posid AS ps_posid

transforms.conf

[REPORT-SYS]
DELIMS = "|"
FIELDS = "message_id","date","time","term1","os_process_id","term2","work_process_number","type_process","term3","term4","user","term5","program","client","session","variable","term6","term7","term8","term9","id_tran","id_cont","id_cone"

 

[sm21]
batch_index_query = 0
case_sensitive_match = 1
filename = sm21.csv

Has anyone experienced a similar issue to mine? 

Best Regards.

Labels (3)
Preview file
92 KB
0 Karma
Reply

afx
Contributor
‎07-11-2025 04:55 AM

Totally forgot to post this..

At WallSec someone put up a more complete writeup: WALLSEC IT SECURITY - SIEM Your SAP Security Audit Log with SPLUNK

Might be easier to understand for some people than my ramblings.

0 Karma
Reply

afx
Contributor
‎07-11-2025 02:33 AM

Hi Splaur,

me thinks your EXTRACT-fields is not needed, that action is performed in the transforms.conf file via REPORT-SAP-Delim which refers to the line seperators generated via add_separators.

Please reread the example and stick to it also in all the names until it works. That should get you going. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2025 10:01 AM

The data is a simple CSV file so the props just need to specify that.

[sap:systemlog]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT

No need for REPORT or EXTRACT.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

afx
Contributor
‎07-11-2025 02:34 AM

Since when is the SAL a CSV file? It is a perverted UTF16 fixed record monstrosity.

Please read my old post on splunking the SAP log that the OP referenced to understand what is going on.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2025 04:44 AM

You're right.  I took the sm21.txt file in the OP to be sample data rather than a lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

afx
Contributor
‎07-11-2025 04:51 AM

Reading too fast happens to the best of us 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...