Data Description

The SCU3 event is used to evaluate the generated logs of SAP tables and objects.

Potential Use Cases

This event could be used in the following scenarios:

  • Analyze who made a change, what was changed, and when was the change made in tables and customize objects

  • Identify and alert on changes, which could create compliance concerns

  • Dashboard and alert on total change volume for specific critical tables.

Metric Filters

Important Note: Data will not be extracted until the Metric Filter is configured.

Log into the managed system, and execute /N/BNWVS/MAIN transaction. Then go to Administrator → Metric filters → SCU3 table filter.

Add the table/object name for which logs are active in SCU3 and data need to be sent to Splunk. The configuration can be active/de-active using the checkbox column.

Splunk Event

The event fields depend on the Event Subtype i.e. table for which logs are sent. For table(Event Subtype) T001, the event will look like this in Splunk:

SAP Navigation

Log in to the SAP system and execute the transaction SCU3 and click on the ‘Evaluate Logs’ button.

Enter the Customizing Object/Table name and select the respective radio button in the ‘Evaluation for’ section. Also, select the 'ALV Grid Display' Output Option and execute.

The Evaluation logs are displayed in the output list.

Fields information on SCU3 output and Splunk Event are the same. The structure of the EVENT TYPE depends on the EVENT SUBTYPE i.e. Table name for which logs are extracted. The Below table contains the common fields information (when the change was done and who changed it) which are the same for all the Event Subtypes. The rest of the fields of the Splunk Event Subtype are table fields that have been changed and can be found and compared with SAP transaction SCU3 output.

Field Mapping

Field

Description

Unit of Measure

EVENT_TYPE

SCU3

String

EVENT_SUBTYPE

 IT varies and its value is equal to the table/object name for which logs are extracted. It is T001 for the example used in the documentation

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DATALN_H

Actual length of vardata

Integer

MANDT

SAP Client

String

LOGDATE_H

Log Date

YYYYMMDD

LOGTIME_H

Log Time

HHMMSS

LOGID_H

Log ID

String

TABNAME_H

Table Name for which logs are generated

String

LOGKEY_H

Log Key (Primary key of the table record)

String

HOSTNAME_H

Host Name of SAP Application Server

String

USERNAME_H

User Name

String

TCODE_H

Transaction Code

String

PROGNAME_H

Program Name

String

OPTYPE_H

Operation type (I: Insert, C: Change, D : Delete)

String

VERSNO_H

Version Number Component

String

LANGUAGE_H

Language

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -