BEFORE COMPLETING THIS STEP: For Splunk Cloud customers running PowerConnect Splunk app versions 7.0.0-7.3.0, please refer to Knowledge Base #173 to address a bug specific to Splunk Cloud that may prevent the Master Inventory Lookup (and potentially other KVstore-based lookups) from generating properly.
...
Open the dashboard “Wizard for New SAP SIDs and Instances Discovery” under PowerConnect > Wizard menu.
Select the buttons corresponding to the desired search names.
Click on the “Run Searches” button.
The status of the search would get updated in the Status column of the table. The user can view the search results once the search has completed by clicking in the table cell.
On Splunk's menu bar, Click on Settings -> “Searches, reports, and alerts” and manually run all the saved searches with the suffix ” – Run Once Only”. In case of a large number of events, if saved search execution does not get completed, try to reduce the time range and populate the lookups.
...
“sap-index” Macro Configuration (Before v8.3.1):
Certain users/roles may not search the designated PowerConnect Splunk index by default. In order for saved searches to function properly, the “sap-index” macro may need to be set to specify the index for the SAP data sent to Splunk from PowerConnect.
On Splunk's menu bar, Click on Settings -> “Advanced search” -> “Search Macros”.
Click on the “sap-index” macro and mention the index name in the Definition where data is incoming. Please see the sample below:
(index="main" OR index="sample1" OR index="sample2")
Note: For selecting all value of an entity, "*" (asterisk) can be used. Logical operators like "AND", "OR" should be capitalized when used in Definition.Click on the Save Button.
Additional Information
Note: If you are using SAP Cloud or want to change app language to German or Japanese; kindly follow the optional Post Installation Configuration