The SCU3 event is used to evaluate the generated logs of SAP tables and objects.
Potential Use Cases
This event could be used in the following scenarios:
Analyze who made a change, what was changed, and when was the change made in tables and customize objects
Identify and alert on changes, which could create compliance concerns
Dashboard and alert on total change volume for specific critical tables.
Important Note: Data will not be extracted until the Metric Filter is configured.
Log into the managed system, and execute /N/BNWVS/MAIN transaction. Then go to Administrator → Metric filters → SCU3 table filter.
Add the table/object name for which logs are active in SCU3 and data need to be sent to Splunk. The configuration can be active/de-active using the checkbox column.
The event fields depend on the Event Subtype i.e. table for which logs are sent. For table(Event Subtype) T001, the event will look like this in Splunk:
Log in to the SAP system and execute the transaction SCU3 and click on the ‘Evaluate Logs’ button.
Enter the Customizing Object/Table name and select the respective radio button in the ‘Evaluation for’ section. Also, select the 'ALV Grid Display' Output Option and execute.
The Evaluation logs are displayed in the output list.
Fields information on SCU3 output and Splunk Event are the same. The structure of the EVENT TYPE depends on the EVENT SUBTYPE i.e. Table name for which logs are extracted. The Below table contains the common fields information (when the change was done and who changed it) which are the same for all the Event Subtypes. The rest of the fields of the Splunk Event Subtype are table fields that have been changed and can be found and compared with SAP transaction SCU3 output.
Unit of Measure
IT varies and its value is equal to the table/object name for which logs are extracted. It is T001 for the example used in the documentation
The date time stamp when the information was collected
Actual length of vardata
Table Name for which logs are generated
Log Key (Primary key of the table record)
Host Name of SAP Application Server
Operation type (I: Insert, C: Change, D : Delete)
Version Number Component
The UTC OFFSSET in HHMMSS that the data was collected in
The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.
+ | -