Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Data Description

The SM21_LOG event is used in SAP to view the system log.

Potential Use Cases

This event could be used in the following scenarios:

  • Alert on specific error messages displayed in the system log.

  • Visualize system health status by application server.

  • Determine error trends over time.

  • Correlate system errors with other occurrences in the environment such as database failuresevents.

Metric Filters

This filter is used to select or exclude specific messages from the system log and is an optional configuration to control data volume sent to Splunk. By default, all system log messages are collected by PowerConnect. To access the filter, log into the managed system and execute the /n/bnwvs/main transaction code. Then go to Administrator → Metric Filters → More → SM21 Sys.Log Filter.

...

Then select the “New Entries” button and enter the desired configuration based on the configuration options defined below, and Save:

  • SAP Instance - This field is mandatory, and is the instance from which you would like to extract the data. To extract data from all instances, enter a wildcard value (i.e. “*”).

  • Clt - This field is mandatory and is the client from which you will extract the data.

  • User - This field is mandatory and is the user related to the system log. To extract data for all users, enter a wildcard value.

  • Grp - This field is mandatory and represents the system log message group. To extract data for all message groups, enter a wildcard value.

  • N - This field is mandatory and represents the message group sub-name. To extract data for all the message group sub-names, enter a wildcard value.

  • Message Text - This field is optional and represents the message text from the system log. To extract data for all messages, enter a wildcard value.

  • INCL/EXCL - This field is mandatory and is an exclusion or inclusion criteria. To exclude the values defined in the selection criteria enter an “E“ in the field. Similarly, to include the values defined in the selection criteria enter an “I” in the field.

  • Active - This field is mandatory and is a checkbox used to enable or disable the filter criteria. To activate the filter criteria, ensure the checkbox is checked. Conversely, if you would like to disable data collection ensure the checkbox is unchecked.

Here is an example of the filled-out filter:

...

Splunk Event

The event will look like this in Splunk:

...

SAP Navigation

[insert information on how to see the information displayed in the Splunk event in the SAP environment. Typically this is a t-code or a table. Please insert instructions with screenshots.]

Field Mapping

...

Field

...

Description

...

Unit of Measure

...

AREA

...

System Log: Group of 36 System Log Messages

...

String

...

BEWERTUNG

...

Evaluation Path

...

String

...

CLASID

...

System Log: Classification ID for Messages

...

String

...

CURRENT_TIMESTAMP

...

The date time stamp when the information was collected

...

YYYYMMDDHHMMSS

...

DATE

...

Date

...

DD.MM.YYYY

...

DATE_INT

...

CHAR08

...

YYYYMMDD

...

DEVCLASS

...

Package

...

String

...

EVENT_SUBTYPE

...

String

...

EVENT_TYPE

...

SM21_LOG

...

String

...

FILE_NO

...

SysLog: File number

...

Number

...

ICON

...

Icon for Priority Status

...

String

...

INSTID

...

SysLog: Instance name (System & Computer & Number)

...

String

...

MAND

...

TODO: Client

...

Number

...

POS

...

SysLog: File offset

...

Number

...

REPNA

...

Program Name

...

String

...

SUBID

...

System log: Third character of message name

...

String

...

TASK

...

System log: SAP process name

...

String

...

TERMINAL

...

Terminal name

...

String

...

TEXT

...

Database Error Message

...

String

...

TIME

...

Time

...

HH:MM:SS

...

TRANSCODE

...

Transaction Code

...

String

...

TSKNA

...

Type

...

String

...

TSKNU

...

Type

...

Number

...

USER

...

System log: SAP user name

...

String

...

UTCDIFF

...

The UTC OFFSSET in HHMMSS that the data was collected in

...

HHMMSS

...

UTCSIGN

...

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

...

+ | -

To access to the SM21 system log, log into the managed system and execute the SM21 transaction. You will then be brought to a user selection parameter screen. Fill out the user selection parameters as desired and select the Execute button.

...

You will then be brought to the system log, which matches the data that is extracted and sent to Splunk.

...