BEFORE COMPLETING THIS STEP: For Splunk Cloud customers running PowerConnect Splunk app versions 7.0.0-7.2.0, please refer to Knowledge Base #173 to address a bug specific to Splunk Cloud that may prevent the Master Inventory Lookup (and potentially other KVstore-based lookups) from generating properly.
The Lookups need to be populated with the event data. This step is required to be performed only once as there are separate saved searches scheduled to run every hour for appending new items to existing lookups from new events. In some cases, this step is done only to populate static data in the lookup once. There are two ways to complete this step:
Open the dashboard “Wizard for New SAP SIDs and Instances Discovery” under PowerConnect > Wizard menu.
Select the checkboxes corresponding to the desired search names.
Click on the “Run Searches” button.
The status of the search would get updated in the Status column of the table. The user can view the search results once the search has completed by clicking in the table cell.
The step would be complete when all the searches specified in the table have completed execution successfully with the exception of “Cloud CPI Source - Lookup Gen - Run Once Only” search.
The following saved searches should only be run if the user wants to use their respective dashboards:
“Cloud CPI Source - Lookup Gen - Run Once Only“ for the dashboard “SAP Cloud - CPI Message Monitoring”
“Cloud API Source - Lookup Gen - Run Once Only” for the dashboard “SAP Cloud - API Management Monitoring”
“Cloud Success Factor Source - Lookup Gen - Run Once Only” for the dashboard “Success Factor Monitoring Dashboard” dashboards respectively .
On Splunk's menu bar, Click on Settings -> “Searches, reports, and alerts” and manually run all the saved searches with the suffix ” – Run Once Only”. In case of a large number of events, if saved search execution does not get completed, try to reduce the time range and populate the lookups.
3. On Splunk's menu bar, Click on Search -> Advanced search -> Search Macros -> search term (sap-index)
Before ::
Since our index is sap. Removed the double quotes and changed to index=sap and then run Post configuration wizard setup again.
After :
Configuration is now finished for the Splunk app.
Note: If you are using SAP Cloud or want to change app language to German or Japanese; kindly follow the optional Post Installation Configuration