The AL08 event is used in SAP to show the list of all the users who are logged on to the system globally or for all the instances in the system which are active.
Potential Use Cases
This event could be used in the following scenarios:
View users that are logged in.
Alert on sensitive users logging into the system.
View log-in trends over time.
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Log into SAP, and execute the AL08 transaction code. The data that is sent to Splunk will then be visible.
Field Mapping
Field
Description
Unit of Measure
CURRENT_TIMESTAMP
The date time stamp when the information was collected
YYYYMMDDHHMMSS
DIALOG_TIME
Time user logged in
HHMMSS
EVENT_SUBTYPE
String
EVENT_TYPE
AL08
String
EXT_SESSION
Number of Sessions
Number (Count)
INSTANCE_NAME
Application server
String
INT_SESSION
Session Number
Number
MANDT
Client
String
TCODE
Transaction Code
String
TERM_NAME
Client host
String
USERNAME
User name
String
UTCDIFF
The UTC OFFSSET in HHMMSS that the data was collected in
HHMMSS
UTCSIGN
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
+ | -
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.