Data Description

The AL08 event is used in SAP to show the list of all the users who are logged on to the system globally or for all the instances in the system which are active.

Potential Use Cases

This event could be used in the following scenarios:

  • View users that are logged in.

  • Alert on sensitive users logging into the system.

  • View log-in trends over time.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Log into SAP, and execute the AL08 transaction code. The data that is sent to Splunk will then be visible.

Field Mapping

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DIALOG_TIME

Time user logged in

HHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

AL08

String

EXT_SESSION

Number of Sessions

Number (Count)

INSTANCE_NAME

Application server

String

INT_SESSION

Session Number

Number

MANDT

Client

String

TCODE

Transaction Code

String

TERM_NAME

Client host

String

USERNAME

User name

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -