...
The data displayed below will match with what you see in Splunk.
...
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
...
Field
...
Description
...
Unit of Measure
...
ANAME
...
Creator of the User Master Record
...
String
...
BCDA1
...
Date of Last Password Change
...
YYYYMMDD
...
BNAME
...
User Name in User Master Record
...
String
...
CLASS
...
User group in user master maintenance
...
String
...
CURRENT_TIMESTAMP
...
The date time stamp when the information was collected
...
YYYYMMDDHHMMSS
...
ERDAT
...
Creation Date of the User Master Record
...
YYYYMMDD
...
EVENT_SUBTYPE
...
String
...
EVENT_TYPE
...
RSUSR200
...
String
...
GLTGB
...
User valid to
...
YYYYMMDD
...
GLTGV
...
User valid from
...
YYYYMMDD
...
LOCK_REASON
...
Reason for the user lock
...
String
...
LOCK_STATE
...
Whether the user is locked
...
String
...
LOCNT
...
Number of failed logon attempts
...
Number (Count)
...
LTIME
...
Last Logon Time
...
HHMMSS
...
MANDT
...
Client
...
String
...
PWD_STATE
...
Password Change: Required / Allowed / Not Possible
...
String
...
TRDAT
...
Last Logon Date
...
YYYYMMDD
...
USTYP
...
User Type
...
String
...
USTYP_TEXT
...
User Type Description
...
String
...
UTCDIFF
...
The UTC OFFSSET in HHMMSS that the data was collected in
...
HHMMSS
...
UTCSIGN
...
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
...
+ | -