SCU3 - Analysis of Logged Customizing Objects and Tables
Data Description
The SCU3 event is used to evaluate the generated logs of SAP tables and objects.
Potential Use Cases
This event could be used in the following scenarios:
Analyze who made a change, what was changed, and when was the change made in tables and customize objects
Identify and alert on changes, which could create compliance concerns
Dashboard and alert on total change volume for specific critical tables.
Metric Filters
Important Note: Data will not be extracted until the Metric Filter is configured.
Log into the managed system, and execute /N/BNWVS/MAIN transaction. Then go to Administrator → Metric filters → SCU3 table filter.

Add the table/object name for which logs are active in SCU3 and data need to be sent to Splunk. The configuration can be active/de-active using the checkbox column.

Splunk Event
The event fields depend on the Event Subtype i.e. table for which logs are sent. For table(Event Subtype) T001, the event will look like this in Splunk:




SAP Navigation
Log in to the SAP system and execute the transaction SCU3 and click on the ‘Evaluate Logs’ button.

Enter the Customizing Object/Table name and select the respective radio button in the ‘Evaluation for’ section. Also, select the 'ALV Grid Display' Output Option and execute.

The Evaluation logs are displayed in the output list.

Fields information on SCU3 output and Splunk Event are the same. The structure of the EVENT TYPE depends on the EVENT SUBTYPE i.e. Table name for which logs are extracted. The Below table contains the common fields information (when the change was done and who changed it) which are the same for all the Event Subtypes. The rest of the fields of the Splunk Event Subtype are table fields that have been changed and can be found and compared with SAP transaction SCU3 output.
Field Mapping
Field | Description | Unit of Measure |
---|---|---|
EVENT_TYPE | SCU3 | String |
EVENT_SUBTYPE | IT varies and its value is equal to the table/object name for which logs are extracted. It is T001 for the example used in the documentation | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
DATALN_H | Actual length of vardata | Integer |
MANDT | SAP Client | String |
LOGDATE_H | Log Date | YYYYMMDD |
LOGTIME_H | Log Time | HHMMSS |
LOGID_H | Log ID | String |
TABNAME_H | Table Name for which logs are generated | String |
LOGKEY_H | Log Key (Primary key of the table record) | String |
HOSTNAME_H | Host Name of SAP Application Server | String |
USERNAME_H | User Name | String |
TCODE_H | Transaction Code | String |
PROGNAME_H | Program Name | String |
OPTYPE_H | Operation type (I: Insert, C: Change, D : Delete) | String |
VERSNO_H | Version Number Component | String |
LANGUAGE_H | Language | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |