...
The data below will match the data that is sent to Splunk.
...
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
...
Field
...
Description
...
Unit of Measure
...
CURRENT_TIMESTAMP
...
The date time stamp when the information was collected
...
YYYYMMDDHHMMSS
...
EVENT_SUBTYPE
...
String
...
EVENT_TYPE
...
RSUSR003
...
String
...
LOCKED
...
Whether or not the user is locked
...
String
...
LOCKREASON
...
The reason why the user is locked
...
String
...
MANDT
...
Client
...
String
...
PWSTATUS
...
The user’s password status
...
String
...
UNSUCESSLOGINS
...
The number of unsuccessful logins for the user
...
Number (count)
...
USERNAME
...
User Name
...
String
...
UTCDIFF
...
The UTC OFFSSET in HHMMSS that the data was collected in
...
HHMMSS
...
UTCSIGN
...
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
...
+ | -
...
VALIDFRM
...
The date the user is valid from
...
YYYYMMDD
...
VALIDTO
...
The date the user is valid until
...
YYYYMMDD