The AL08 event is used in SAP to show the list of all the users who are logged on to the system globally or for all the instances in the system which are active.
Potential Use Cases
This event could be used in the following scenarios:
View users that are logged in.
Alert on sensitive users logging into the system.
View log-in trends over time.
The event will look like this in Splunk:
Log into SAP, and execute the AL08 transaction code. The data that is sent to Splunk will then be visible.