Data Description

The SYSTEM_STATUS event is used in SAP to view the software, components, kernel, and general SAP system information.

Potential Use Cases

This event could be used in the following scenarios:

  • To obtain system information details for dashboarding purposes.

  • Correlate new installations with security risks or performance issues.

Splunk Event

SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO

The event will look like this in Splunk:

SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO

The event will look like this in Splunk:

SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS

The event will look like this in Splunk:

SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST

The event will look like this in Splunk:

SAP Navigation

Log into the system and go to the System → Status menu option.

SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS

The information displayed below will match with Splunk.

SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO

Click on the Other kernel Info button.

The information displayed will match with Splunk.

SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST

Click on the Details button.

The information displayed will match with Splunk.

SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO

Click on the Details button.

Click on the Installed Product Versions tab. The data displayed will match with Splunk.

Field Mapping

SYSTEM_STATUS with EVENT_SUBTYPE=SYSTEM_STATUS

Field

Description

Unit of Measure

COMPONENT_VERSION

Component version

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DATABASE_SYSTEM

Database system

String

EVENT_SUBTYPE

SYSTEM_STATUS

String

EVENT_TYPE

SYSTEM_STATUS

String

HOST

Host

String

INSTALLATION_NUMBER

Installation number

Number

LICENSE_EXPIRATION

License expiration

YYYYMMDD

MACHINE_TYPE

Machine type

String

NAME

Name

String

OPERATING_SYSTEM

Operating system

String

OWNER

Owner

String

PLATFORM_ID

Platform ID

Number

RELEASE

Release

Number

SERVER_NAME

Server name

String

UNICODE_SYSTEM

Unicode system

Boolean

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SYSTEM_STATUS with EVENT_SUBTYPE=KERNEL_INFO

Field

Description

Unit of Measure

ABAP_LOAD

ABAP Load

Number

COMPILATION

Compilation

String

CUA_LOAD

CUA Load

Number

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DBSL_PATCH_LEVEL

Database patch level

Number

DBSL_VERSION

DBSL version

Number

DB_CLIENT_LIB

DB client library

String

DB_RELEASES

DB releases

String

EVENT_SUBTYPE

KERNEL_INFO

String

EVENT_TYPE

SYSTEM_STATUS

String

IP_ADDRESS

IP Address

IP Address

KERNEL_RELEASE

Kernel release

Number

MODE

Mode

String

OPERATING_SYSTEM

Operating system

String

OP_RELEASE

OP release

Number

RSYN_FILE

Rsyn file

String

SAP_VERSION

SAP version

Number

SUP_PKG_LVL

Support Package level

Number

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SYSTEM_STATUS with EVENT_SUBTYPE=COMPONENT_LIST

Field

Description

Unit of Measure

COMPONENT

Component

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DESC_TEXT

Description

String

EVENT_SUBTYPE

COMPONENT_LIST

String

EVENT_TYPE

SYSTEM_STATUS

String

HIGH_PACKAGE

High package

String

LEVEL

Level

Number

RELEASE

Release

Number

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

SYSTEM_STATUS with EVENT_SUBTYPE=PRODUCT_INFO

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

DESCRIPT

Description

String

EVENT_SUBTYPE

PRODUCT_INFO

String

EVENT_TYPE

SYSTEM_STATUS

String

ID

ID

Number

NAME

Product Name

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

VENDOR

Vendor

String

VERSION

Version

Number