×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
SPLAUR
Engager
Member since: ‎03-11-2025
‎07-07-2025
Community Statistics
Posts 3
Solutions 1
Karma Given 2
Karma Received 1
Member Since ‎03-11-2025
Activity Feed
View All

Issues Indexing SAP System Log (SM21)

by in Getting Data In
‎07-07-2025 09:10 AM
‎07-07-2025 09:10 AM
Dear splunk community, After successfully implementing the input from @afx : "How to Splunk the SAP Security Audit Log" I was encouraged to implement the SAP system log (SM21) on my own. So far, I have managed to send the log to SPLUNK, but given the log's encoding system, I am unable to process it correctly in SPLUNK. Most likely, my error lies in the transforms.conf or props.conf.  props.conf [sap:systemlog] category = Custom REPORT-SYS = REPORT-SYS EXTRACT-fields = ^(?<Prefix>.{3})(?<Date>.{8})(?<Time>.{6})(?<Code>\w\w)(?<Field1>.{5})(?<Field2>.{2})(?<Field3>.{3})(?<Field4>.)(?<Field5>.)(?<Field6>.{8})(?<Field7>.{12})(?<Field8>.{20})(?<Field9>.{40})(?<Field10>.{3})(?<Field11>.)(?<Field12>.{64})(?<Field13>.{20}) LOOKUP-auto_sm21 = sm21 message_id AS message_id OUTPUTNEW area AS area subid AS subid ps_posid AS ps_posid transforms.conf [REPORT-SYS] DELIMS = "|" FIELDS = "message_id","date","time","term1","os_process_id","term2","work_process_number","type_process","term3","term4","user","term5","program","client","session","variable","term6","term7","term8","term9","id_tran","id_cont","id_cone" [sm21] batch_index_query = 0 case_sensitive_match = 1 filename = sm21.csv Has anyone experienced a similar issue to mine?  Best Regards. ... View more

Re: My alert in SPLUNK is not triggering

by in Alerting
‎03-12-2025 03:31 AM
1 Karma
‎03-12-2025 03:31 AM
1 Karma
Hi @livehybrid First of all, thank you for your quick response. It is greatly appreciated. In the end, it was a much simpler mistake; I forgot to include the port in the SMTP FQDN since it is under SSL. Regards ... View more

My alert in SPLUNK is not triggering

by in Alerting
‎03-11-2025 11:14 AM
‎03-11-2025 11:14 AM
Dear Splunk community, I have a search in Splunk that generates results: index="myindex" message_id="AU2" | stats count by src | search count > 2 It basically searches the index for events of type "AU2" and shows an alert when they are greater than 2. I have created several alerts with different modes: Real-time Mode   Scheduled Mode   When I run: index=_internal sourcetype=scheduler savedsearch_name="PRUEBA Scheduled" It shows the following:   Could you tell me what I might be doing wrong or what I might be missing? Regards.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-07-2025 08:46 AM
Karma from
View All
Karma given to
View All