Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues Indexing SAP System Log (SM21)

SPLAUR
Engager
‎07-07-2025 09:10 AM

Dear splunk community,

After successfully implementing the input from @afx :

"How to Splunk the SAP Security Audit Log"

I was encouraged to implement the SAP system log (SM21) on my own.

So far, I have managed to send the log to SPLUNK, but given the log's encoding system, I am unable to process it correctly in SPLUNK.

Most likely, my error lies in the transforms.conf or props.conf.

 props.conf

[sap:systemlog]
category = Custom
REPORT-SYS = REPORT-SYS

EXTRACT-fields = ^(?<Prefix>.{3})(?<Date>.{8})(?<Time>.{6})(?<Code>\w\w)(?<Field1>.{5})(?<Field2>.{2})(?<Field3>.{3})(?<Field4>.)(?<Field5>.)(?<Field6>.{8})(?<Field7>.{12})(?<Field8>.{20})(?<Field9>.{40})(?<Field10>.{3})(?<Field11>.)(?<Field12>.{64})(?<Field13>.{20})

LOOKUP-auto_sm21 = sm21 message_id AS message_id OUTPUTNEW area AS area subid AS subid ps_posid AS ps_posid

transforms.conf

[REPORT-SYS]
DELIMS = "|"
FIELDS = "message_id","date","time","term1","os_process_id","term2","work_process_number","type_process","term3","term4","user","term5","program","client","session","variable","term6","term7","term8","term9","id_tran","id_cont","id_cone"

 

[sm21]
batch_index_query = 0
case_sensitive_match = 1
filename = sm21.csv

Has anyone experienced a similar issue to mine? 

Best Regards.

Labels (3)
Preview file
92 KB
0 Karma
Reply

afx
Contributor
‎07-11-2025 04:55 AM

Totally forgot to post this..

At WallSec someone put up a more complete writeup: WALLSEC IT SECURITY - SIEM Your SAP Security Audit Log with SPLUNK

Might be easier to understand for some people than my ramblings.

0 Karma
Reply

afx
Contributor
‎07-11-2025 02:33 AM

Hi Splaur,

me thinks your EXTRACT-fields is not needed, that action is performed in the transforms.conf file via REPORT-SAP-Delim which refers to the line seperators generated via add_separators.

Please reread the example and stick to it also in all the names until it works. That should get you going. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2025 10:01 AM

The data is a simple CSV file so the props just need to specify that.

[sap:systemlog]
INDEXED_EXTRACTIONS = csv
DATETIME_CONFIG = CURRENT

No need for REPORT or EXTRACT.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

afx
Contributor
‎07-11-2025 02:34 AM

Since when is the SAL a CSV file? It is a perverted UTF16 fixed record monstrosity.

Please read my old post on splunking the SAP log that the OP referenced to understand what is going on.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2025 04:44 AM

You're right.  I took the sm21.txt file in the OP to be sample data rather than a lookup table.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

afx
Contributor
‎07-11-2025 04:51 AM

Reading too fast happens to the best of us 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...