Below is a complete copy of our PC_README.md file, as Splunk’s app limitations prevent us from providing the full readme file on the Splunkbase page.


SAP PowerConnect for Splunk
======================================================================

OVERVIEW
------------------------------
This Splunk application helps in visualizing and monitoring SAP systems with PowerConnect for Splunk ABAP based application for SAP. This application is standalone and does not depend on any other technology add-ons.

* Author - SoftwareONE
* Version - 7.0.0
* Build - 1
* Creates Index - False
* Source type - sap_abap, sap:abap, jmx, sap:java, sap:cloud
* Compatible with:
    * Splunk Enterprise version: 8.1.x, 8.2.x and 9.0.x
    * PowerConnect for Splunk using ABAP: 7.01 - 7.5x
    * OS: Platform independent
  
SUPPORT
------------------------------
support@powerconnect.io

DOWNLOAD
------------------------------
https://splunkbase.splunk.com/app/3153/

INSTALLATION
------------------------------
* This application needs to be installed on Splunk Search Head in the case of Distributed environment.
* For Installation and Setup instructions, refer to the documentation here - https://help.powerconnect.io/powerconnectdocumentation/PowerConnect-Splunk-App-Installation.2349793211.html

UPGRADE STEPS
------------------------------
If you upgrade the app to 7.0.0 or above version from any of the lower version(Below 7.0.0) please run the Setup Page so that you can use the panel wise alert functionality.
https://help.powerconnect.io/powerconnectdocumentation/PowerConnect-Splunk-App-Upgrade.3040673830.html

ALERT MECHANISM LIMITATIONS
------------------------------
* If you upgrade the app to 7.0.0 or above version from any of the lower version(Below 7.0.0) please run the Setup Page so that you can use the panel wise alert functionality.
* Panel wise alert functionality will only work in English language.
* User will have admin, power, sc_admin (Splunk Cloud) role or any role which inherit that role.
* Private Alert will not work in Alerting mechanism.
* Global Alert (in other app) will not work in Alerting mechanism.
* Duplicate alert name will not work.
* At a time user can create only one alert. If you click on bell icon and load alert dashboard and if not create alert (alert dashboard still open) and if now click on other bell icon and load alert dashboard and now create a new alert from first opened tab then alert mechanism will not work properly.

APP DEPENDENCY
------------------------------
* The app makes use of a Splunk application "Splunk Machine Learning Toolkit(MLTK)" to incorporate machine learning usecases in certain dashboards, namely "SAP Security Essentials" and "ABAP Dumps"

SETUP PAGE GUIDE
------------------------------
#### Section 1: Setup default values
* In this section default filter values for the timerange and span can be set. These values are set to default across all the dashboards.

* **Note**: This does not apply for "Expensive Statements (raw)" dashboards for databases.

#### Section 2: Database selection
* In this section you can add/remove database menu entry from the navigation bar of the App.

#### Section 3: SAP Cloud selection
* In this section you can add/remove SAP Cloud product menu entry from the navigation bar of the App.

#### Section 4: SAP Fiori selection
* In this section you can add/remove SAP Fiori menu entry from the navigation bar of the App.

Setup NIPING Utility (Optional)
----------------------------------
* In this page the user can configure the Log level, Splunk Host, HEC Token, Port, Index, Splunk Username and Splunk Password for NIPING Utility. The user can enable and disable the script via this.
* Note: The NIPING functionality packaged in the app supports single instance topology and clustered/distributed environment in case the SAP systems, HEC token configuration (if done on Forwarder), and SH are within the same network. Otherwise, it won't be able to fetch data by pinging the SAP servers or post it to the HEC.

CONFIGURATION
------------------------------
* After performing above mentioned installation steps, configure the indexes to be accessible by admin and all other users and roles who will be accessing this application.
* All SAP raw events are configured to provide TIMESTAMPs in UTC timezone. Configure the system and Splunk user timezone accordingly.
* If any new field extraction is required to be done in props.conf for the [sap_abap] stanza, please verify the application is not affected by that change.
* The Lookups need to be populated with the event data. This step is required to be performed only once as there are separate savedsearches scheduled to run every hour for appending new items to existing lookups from new events and for some cases it’s only to populate static data in the lookup for once only. There are two ways to complete this step:
    * Open the dashboard “Wizard for New SAP SIDs and Instances Discovery” under PowerConnect menu. Select the checkbox corresponding to the savedsearches name and click on the “Run Searches” button. The status of the search would get updated in the Status column of the table and the user can view the search results once the search has completed by clicking in the table cell. The step would be complete when all the searches specified in the table have completed execution successfully with the exception of “Cloud CPI Source - Lookup Gen - Run Once Only”, “Cloud API Source - Lookup Gen - Run Once Only” and “Cloud Success Factor Source - Lookup Gen - Run Once Only” searches. These searches should only be run if the user wants to use the “SAP Cloud - CPI Message Monitoring”, “SAP Cloud - API Management Monitoring” and “Success Factor Monitoring Dashboard” dashboards respectively.
    * On Splunk's menu bar, Click on Settings -> “Searches, reports, and alerts” and manually run all the savedsearches with the suffix ” – Run Once Only”. In case of a large number of events, if savedsearch execution does not get completed, try to reduce the time range and populate the lookups.

OPTIONAL CONFIGURATION
------------------------------
* SAP CLOUD PRODUCT SUPPORT
    * If the user wants to use the “SAP Cloud - CPI Message Monitoring”, “SAP Cloud - API Management Monitoring” and “Success Factor Monitoring Dashboard” dashboards, the user needs to enable the saved searches “Cloud CPI Source - Lookup Gen”, “Cloud API Source - Lookup Gen - Run Once Only” and “Cloud Success Factor Source - Lookup Gen - Run Once Only”.  The steps to enable the savedsearches are:
        * On Splunk's menu bar, Click on Settings -> Searches, reports, and alerts.
        * Search for “Cloud CPI Source - Lookup Gen” or “Cloud API Source - Lookup Gen - Run Once Only” or “Cloud Success Factor Source - Lookup Gen - Run Once Only”.
        * Click on "Edit" dropdown under "Actions" and click on "Enable".

* GERMAN OR JAPANESE LANGUAGE SUPPORT
    * The app version 6.4.0 supports German and Japanese languages apart from English.
    * By default, Splunk automatically uses the language that the user's browser is set to. To switch languages, either the browser's locale setting can be changed or for a given Splunk session it can be changed by modifying the URL that you use to access Splunk. For different languages use the URL as specified:
        * German : http://<your_splunk_instance_address>/de-DE/app/BNW-app-powerconnect/
        * Japanese: http://<your_splunk_instance_address>/ja-JP/app/BNW-app-powerconnect/
        * American English: http://<your_splunk_instance_address>/en-US/app/BNW-app-powerconnect/
        * British English: http://<your_splunk_instance_address>/en-GB/app/BNW-app-powerconnect/

        *(Replace the placeholder in the URL)
        Note: In case the dashboard is not getting shown in the expected language after going to the appropriate URL, the user should clear the browser cache and refresh the dashboard.
    * The language translation of description ("Wizard for New SAP SIDs and Instances Discovery" dashboard, "Data Dictionary" dashboard and "Searches, Reports, and Alerts" section) is supported for Splunk version 7.3.x and above.
    * Reference: https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Userlanguageandlocale

* MACROS:
    * On Splunk's menu bar, Click on Settings -> “Advanced search” -> “Search Macros”.
    1. "sap-index" macro
        * Click on the “sap-index” macro and mention the index name in the Definition where data is incoming. Please see the sample below:
            * (index="main" OR index="sample1" OR index="sample2")
            * Note: For selecting all value of an entity, "*" (asterisk) can be used. Logical operators like "AND", "OR" should be capitalized when used in Definition.
        * Click on the Save Button.
    2. "pc_landscape_lookup_delete_days" macro
        * Click on the “pc_landscape_lookup_delete_days” macro and mention the number of days, you want to keep the data in the lookup in the Definition. Please see the sample below:
            * 30
        * Click on the Save Button.


DATA MODEL CONFIGURATION
------------------------------
* Data Model Acceleration is disabled by default. Admin can enable acceleration and set the acceleration period by the following steps:
    1. On Splunk's menu bar, Click on Settings -> Data models
    2. From the list for Data models, click "Edit" in the "Action" column of the row for the Data model for which acceleration needs to be enabled.
    3. From the list of actions select Edit Acceleration. This will display the pop-up menu for Edit Acceleration.
    4. Check Accelerate check box to "Enable" data model acceleration.
    5. If acceleration is enabled, select the summary range to specify the acceleration period.
    6. To save acceleration changes click on the save button.
* For additional details, please refer the following document:
https://help.powerconnect.io/powerconnectdocumentation/KB-96---Splunk-PowerConnect-App-Data-Model-Information.3076489217.html

REBUILDING DATA MODEL
------------------------------
* In case there is no need to use the already indexed accelerated Data Model, the Data Model can be configured to rebuild from scratch for the specified acceleration period. Data Model can be rebuilt by the following steps:
    1. On Splunk's menu bar, Click on Settings -> Data models
    2. From the list for Data models, expand the row by clicking ">" arrow in the first column of the row for the Data model for which acceleration needs to be rebuild. This will display an extra Data Model information in "Acceleration" section.
    3. From the "Acceleration" section click on "Rebuild" link.
    4. Monitor the status of the rebuild in the field "Status" of "Acceleration" section. Reload the page to get the latest rebuild status.

SAVEDSEARCHES
------------------------------
* "System Inventory" saved search is used to populate Time, CPU, Memory, Capacity in dashboards.
* Below savedsearches are accelerated and acceleration might increase storage and processing costs. The user can change the acceleration option by following the steps given at the end of the section.
    1. Global STAD - Database Time, Response Time & Network Time
    2. SAP_stad_get_userlist
* Below savedsearches are used in Dropdown population in all dashboards.
    1. summaryAccountInstance
    2. summaryAccountSource
    3. summaryInstanceId
    4. summarySourceId
    5. summaryTcodeInstance
    6. summaryTcodeSource
    7. summaryTypeInstance
    8. summaryTypeSource
    9. summaryJmxSourceId
    10. summaryJmxStatus
    11. summaryFilenames
    12. summaryCloudCPISourceId
    13. summaryCloudAPISourceId
    14. summaryCloudSuccessFactorSourceId
    15. summarySystemRole
* "landscape_overview_summary" saved search is used to populate lookups for the Landscape Overview Dashboard.
* "landscape_overview_lookup_clean" saved search is used to Remove lookups data which is used in Landscape Overview Dashboard.
* The following saved searches are used to populate lookups for the Process Chain Dashboard. These are disabled by default. Users need to manually enable these to use the dashboard.
    1. Sap_Subchain_Hour_Relation
    2. sap_state_step_chain - Lookup Gen
    3. sap_state_step_chain - Lookup Gen (Month Reset)
    4. Avg_Process_Chain
    5. Avg_Process_Chain2
    6. Next_Start_Process_Chain
    7. Sap_Process_Chain_Status_Duration
    8. sub_subchain_hour_relation_lookup - Lookup Gen
* The steps to enable the savedsearches are:
    1. On Splunk's menu bar, Click on Settings -> Searches, reports, and alerts.
    2. Select App context="SAP PowerConnect for Splunk (BNW-app-powerconnect)" and mark check "Show only objects created in this app context".
    3. Click on "Edit" dropdown under "Actions" and click on "Enable".
* The following saved searches are used to improve the search performance for the MLTK panels by acceleration. By default this feature is disabled. Users need to manually enable the acceleration.
    1. "mltk_sap_security_essentials_anomaly_tcode" - For the "Anomaly Detection: T-Code Executions" panel present in SAP Security Essentials dashboard.
    2. "mltk_sap_security_essentials_forecast_logins" - For the "Forecasting: User Logins" panel present in SAP Security Essentials dashboard.
    3. "mltk_abap_dumps_forecast_dumps" - For the "Forecasting: ABAP dumps" panel present in ABAP Dumps dashboard.
    4. "mltk_st22_anomaly" - For the "ABAP Dumps Outlier" panel present in ABAP Dumps dashboard.
    5. "mltk_sm37_anomaly" - For the "SAP Batch Jobs Anomaly" panel present in Batch Jobs dashboard.

* Users can change the acceleration option by following the below steps:
    1. On Splunk's menu bar, Click on Settings -> Searches, reports, and alerts.
    2. Select App context="SAP PowerConnect for Splunk (BNW-app-powerconnect)" and mark check "Show only objects created in this app context".
    3. Click on "Edit" dropdown under "Actions" and click on "Edit Acceleration" for the savedsearch you want to enable acceleration for.
    4. Under the Acceleration label, you will find "Accelerate this search" check box.
    5. By making a check / uncheck "Accelerate Report" check box, the acceleration option of savedsearch will be enabled/disabled.
    6. Click on "Save".

KNOWN ISSUES
------------------------------
* In Splunk 8.2.x, In Basis Health Checks Dashboard, language translation wouldn't happen as it is created using Splunk Dashboard Studio. This is a Splunk issue as it works properly in Splunk classic dashboards.
* SHC replication for the setup page wouldn’t happen in distributed Splunk environment and users need to configure the setup page on each SH. This is a known issue in Splunk.
* If you face "[subsearch]: Search auto-finalized after time limit (60 seconds) reached" error then add below stanza in $SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/local/limits.conf file. if limits.conf is not available at that location then please create limits.conf file and restart splunk server.
    [subsearch]
    maxout = 50000
    maxtime = 3600
    [join]
    subsearch_maxtime = 3600
    subsearch_timeout = 360
* In Splunk Cloud, If you see the "Potential Security Risk" popup during the use of the SAP PowerConnect app for Splunk then you can click on the “Run Query Anyway” button to accept the risk and if you are not able to click on the button then please refer https://help.powerconnect.io/powerconnectdocumentation/KB-145---Guide-to-resolve-the-%E2%80%9CPotential-Security-Risk%22-popup-in-wizards.3278995457.html

SEND DATA TO SPLUNK
------------------------------
* PowerConnect uses and recommends to use HTTP Event Collector(HEC) to send data to Splunk.

OPEN SOURCE COMPONENTS AND LICENSES
------------------------------
* Some of the components included in "SAP PowerConnect for Splunk" are licensed under free or open source licenses. We wish to thank the contributors to those projects.
jQuery version 3.5.0 http://jquery.com/ (LICENSE https://github.com/jquery/jquery/blob/master/LICENSE.txt)
Underscore JS version 1.6.0 http://underscorejs.org (LICENSE https://github.com/jashkenas/underscore/blob/master/LICENSE)
Require JS version 2.3.6 http://github.com/jrburke/requirejs (LICENSE https://github.com/requirejs/requirejs/blob/master/LICENSE)
jQuery UI version 1.12.1 https://jqueryui.com/ (LICENSE https://github.com/jquery/jquery-ui/blob/main/LICENSE.txt)
bootstrap-tab.min.js version 2.3.1 https://github.com/twbs/bootstrap (LICENSE https://github.com/twbs/bootstrap/blob/main/LICENSE)
i18n.min.js version 2.0.6 https://github.com/requirejs/i18n (LICENSE https://github.com/requirejs/i18n/blob/master/LICENSE)
D3 JS version 3.3.5 https://github.com/d3/d3/releases (LICENSE appserver/static/components/d3/LICENSE)
Gantt Chart components from Splunk app "Gantt Chart visualization" 1.3.5 https://splunkbase.splunk.com/app/1741/ (LICENSE http://www.gnu.org/licenses/gpl-3.0.txt)
Plotly JS version 1.49.4 https://github.com/plotly/plotly.js/releases (LICENSE appserver/static/components/scatterplot/LICENSE.txt)
Golden Layout version 1.5.9 https://github.com/golden-layout/golden-layout/releases (LICENSE appserver/static/components/goldenlayout/LICENSE.txt)
Font Awesome Free 5.2.0 by @fontawesome - https://fontawesome.com/ (LICENSE appserver/static/icons/LICENSE.txt)

BINARY FILES
-----------------
The app package uses binary files for NIPING utility (located at $SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/bin/lib/nipping) 

LOOKUP FILE MANUAL CONFIGURATION
------------------------------ 
* In "SAP Performance->User Experience (Geo)" dashboard, ip_subnets lookup file is used for fetching predefined subnet, lat, long and text fields. On the basis of these fields, the panel will display bubbles on Geo Map.
* To make "SAP Global->User Experience (Geo)" dashboard working properly, the user needs to manually insert subnet values in ip_subnets lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/ip_subnets.csv).

        For example:
        subnet,lat,long,text // this line is already in ip_subnets.csv file.
        XXX.XXX.XXX,-10.000,20.000,"Text Value" //Sample value in ip_subnets.csv file.
        .
        .
        .
            where,
                - "XXX.XXX.XXX" is subnet value.
                - "-10.000" is latitude.
                - "20.000" is longitude.
                - "Text Value" is identical city/state/state name.

* In "SAP Security->SAP Security Scorecard" and "SAP Security->SAP Security Essentials" dashboards, security_parameters_names lookup file is used for one of the security use case "Password policy parameters". On the basis of this lookup "Password policy parameters" security use case is defined.
* To modify this security use case, user need to manually add/modify security_parameters_names lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/security_parameters_names.csv).

        For example:
        PAR_NAME,RECOMMENDED_VALUE,CONDITION // this line is already in ip_subnets.csv file.
        login/min_password_lng,6,> //Sample value in security_parameters_names.csv file.
        .
        .
        .
            where,
                - "login/min_password_lng" is parameter name.
                - "6" is recommended value.
                - ">" is one of the three possible conditions i.e ">" OR "<" OR "=".

* In "SAP Security->SAP Security Scorecard" and "SAP Security->SAP Security Essentials" dashboards, sensitive_tcodes lookup file is used for one of the security use case "Execution of sensitive transactions". On the basis of this lookup "Execution of sensitive transactions" security use case is defined.
* To modify this security use case, user need to manually add/modify sensitive_tcodes lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/sensitive_tcodes.csv).

        For example:
        TCODE // this line is already in sensitive_tcodes.csv file.
        SE16 //Sample value in sensitive_tcodes.csv file.
        .
        .
        .
            where,
                - "SE16" is sensitive TCODE value.

* In "SAP Security->SAP Security Scorecard" and "SAP Security->SAP Security Essentials" dashboards, wide_open_auth_objects lookup file is used for one of the security use case "Users with sensitive authorization". On the basis of this lookup "Users with sensitive authorization" security use case is defined.
* To modify this security use case, user need to manually add/modify wide_open_auth_objects lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/wide_open_auth_objects.csv).

        For example:
        OBJECT // this line is already in wide_open_auth_objects.csv file.
        S_TABU_DIS //Sample value in wide_open_auth_objects.csv file.
        .
        .
        .
            where,
                - "S_TABU_DIS" is object value.

* In "SAP Security->SAP Security Scorecard" and "SAP Security->SAP Security Essentials" dashboards, sensitive_user_roles lookup file is used for one of the security use case "Users with sensitive role". On the basis of this lookup "Users with sensitive role" security use case is defined.
* To modify this security use case, user need to manually add/modify sensitive_user_roles lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/sensitive_user_roles.csv).

        For example:
        AGR_NAME // this line is already in sensitive_user_roles.csv file.
        Z_BNWVS_ADMIN_CHANGE //Sample value in sensitive_user_roles.csv file.
        .
        .
        .
            where,
                - "Z_BNWVS_ADMIN_CHANGE" is rule name.

* In "Java->NW->NetWeaver Java UME" dashboard, sensitive_user_roles_java lookup file is used for one of the security use case "Users with sensitive role". On the basis of this lookup "Users with sensitive role" security use case is defined.
* To modify this security use case, user need to manually add/modify sensitive_user_roles_java lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/sensitive_user_roles_java.csv).

        For example:
        role_name // this line is already in sensitive_user_roles.csv file.
        Administrator //Sample value in sensitive_user_roles.csv file.
        .
        .
        .
            where,
                - "Administrator" is rule name.
* In "PowerConnect->Landscape Overview" dashboard, pc_landscape_ovw_source_exclude lookup file is used to exculde the systems from the "ABAP System" and "JAVA System" dropdowns. Thus, the systems added to this lookup file would not be populated in these dropdowns.
* To modify this, user need to manually add/modify pc_landscape_ovw_source_exclude lookup file ($SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/lookups/pc_landscape_ovw_source_exclude.csv).

        For example:
        source // this line is already in pc_landscape_ovw_source_exclude file.
        .
        .
        .
            where,
                - "source" is rule name.

RUNNING LOOKUP SAVED SEARCHES
-----------------------------
Look ups can be rebuilt by the following steps:

1. On Splunk's menu bar, Click on Settings -> Searches, reports, and alerts.
2. In "App context" dropdown, select "SAP PowerConnect for Splunk (BNW-app-powerconnect)" from the list.
3. Select the check box of "Show only objects created in this app context".
4. In the top right search box, enter "- Run Once Only" and click on the search icon.
5. Above list of look up saved searches should be filtered out.
6. Now for each saved search from the above list, click on "Actions" -> "Run" one by one in new tabs.
7. The saved searches will run with "All Time" time range. In case, you want to update the time range with some lesser value stop the existing search job, change the time range and run the search again.


NOTE: Run the saved searches one by one to avoid concurrency issue.

Binary File Declaration
-----------------------
App consists of Linux binary files located at - bin/lib/niping/linux_x86_64/libicudata.so.34, bin/lib/niping/linux_x86_64/libicui18n.so.34 and bin/lib/niping/linux_x86_64/libicuuc.so.34 for the purpose of collecting availability status of SAP System

Copyright (c) 2022 SoftwareONE. All Rights Reserved.

RELEASE NOTES
------------------------------
Version 7.0.0 (July 2022)

New! System Overview (7.x)
New! PowerConnect Resource Utilization
New! Event type, Dashboard, Menu Mapping
New! Alert Details
New! Event Analytics
New! User Change Log
New! Login Failure
New! Authorization Data Overview (SU53)
New! Sensitive Authorization
New! Audit Integrity Check
New! File System
New! Capacity Management Information System
New! SMLG Details
New! STATS Details
New! STATS Overview
New! Spool Information
New! Output Device Status
New! Spool Content
New! Smart Business KPI
New! PI/PO Adapter Engine Queues
New! HANA: Backup Overview Dashboard
New! HANA: Large Table Details
New! HANA: Large Table Overview
New! HANA: SQL Plan Statistics
New! HANA: Disk Overview
New! Fiori Statistics Overview
New! Fiori Statistics Details
New! SAP Fiori: ODATA Metering Trace
New! SAP Fiori: SAP Gateway Statistics
New! Weekly Usage Statistics (Dashboard Studio)
Updated! System Overview
Updated! Alert Definition
Updated! User Password Status
Updated! Authorization Data Details (SU53)
Updated! Spool Monitoring
Updated! IDOC Status for WE02
Updated! HANA: Alert Details
updated! PowerConnect Troubleshooting Dashboard" under 
Fixed! Landscape Overview - https://help.powerconnect.io/powerconnectdocumentation/kb-147-a-custom-javascript-caused-an-issue-loading
Fixed! Background Job Analysis by Instance - https://help.powerconnect.io/powerconnectdocumentation/kb-147-a-custom-javascript-caused-an-issue-loading
Added! CIM Mapping for Security Event Type
Improved navigation of the Dashboards.
Minor updates to "SM20 Audit Logs", "SAP OS Memory (ST06)", "SAP Network", "CPU All Instances", "SAP Landscape Analysis" and "Basis Health Checks".
CODE