Data Description
The SYSTEM_STATUS event is used in SAP to view the software, components, kernel, and general SAP system information.
Potential Use Cases
This event could be used in the following scenarios:
To obtain system information details for dashboarding purposes.
Correlate new installations with security risks or performance issues.
Splunk Event
SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO
The event will look like this in Splunk:
SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO
The event will look like this in Splunk:
SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS
The event will look like this in Splunk:
SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST
The event will look like this in Splunk:
SAP Navigation
Log into the system and go to the System → Status menu option.
SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS
The information displayed below will match with Splunk.
SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO
Click on the Other kernel Info button.
The information displayed will match with Splunk.
SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST
Click on the Details button.
The information displayed will match with Splunk.
SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO
Click on the Details button.
Click on the Installed Product Versions tab. The data displayed will match with Splunk.
Field Mapping
SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS
Field | Description | Unit of Measure |
---|---|---|
COMPONENT_VERSION | Component version | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DATABASE_SYSTEM | Database system | String |
EVENT_SUBTYPE | SYSTEM_STATUS | String |
EVENT_TYPE | SYSTEM_STATUS | String |
HOST | Host | String |
INSTALLATION_NUMBER | Installation number | Number |
LICENSE_EXPIRATION | License expiration | YYYYMMDD |
MACHINE_TYPE | Machine type | String |
NAME | Name | String |
OPERATING_SYSTEM | Operating system | String |
OWNER | Owner | String |
PLATFORM_ID | Platform ID | Number |
RELEASE | Release | Number |
SERVER_NAME | Server name | String |
UNICODE_SYSTEM | Unicode system | Boolean |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO
Field | Description | Unit of Measure |
---|---|---|
ABAP_LOAD | ABAP Load | Number |
COMPILATION | Compilation | String |
CUA_LOAD | CUA Load | Number |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DBSL_PATCH_LEVEL | Database patch level | Number |
DBSL_VERSION | DBSL version | Number |
DB_CLIENT_LIB | DB client library | String |
DB_RELEASES | DB releases | String |
EVENT_SUBTYPE | KERNEL_INFO | String |
EVENT_TYPE | SYSTEM_STATUS | String |
IP_ADDRESS | IP Address | IP Address |
KERNEL_RELEASE | Kernel release | Number |
MODE | Mode | String |
OPERATING_SYSTEM | Operating system | String |
OP_RELEASE | OP release | Number |
RSYN_FILE | Rsyn file | String |
SAP_VERSION | SAP version | Number |
SUP_PKG_LVL | Support Package level | Number |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST
Field | Description | Unit of Measure |
---|---|---|
COMPONENT | Component | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DESC_TEXT | Description | String |
EVENT_SUBTYPE | COMPONENT_LIST | String |
EVENT_TYPE | SYSTEM_STATUS | String |
HIGH_PACKAGE | High package | String |
LEVEL | Level | Number |
RELEASE | Release | Number |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO
Field | Description | Unit of Measure |
---|---|---|
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DESCRIPT | Description | String |
EVENT_SUBTYPE | PRODUCT_INFO | String |
EVENT_TYPE | SYSTEM_STATUS | String |
ID | ID | Number |
NAME | Product Name | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
VENDOR | Vendor | String |
VERSION | Version | Number |