Introduction
Welcome to the comprehensive beginner’s guide on using Splunk for Data Analysis in SAP Ariba Application. This guide is divided into several parts, each providing detailed instructions for understanding the main features and functionality of the Splunk tool. Without further ado, let’s embark on the journey to enhance data analysis capabilities in SAP Ariba.
What is the Splunk?
Splunk is an essential data analysis tool that plays a crucial role in aggregating data for analysis and providing logs. Particularly for SAP Ariba, it allows the monitoring of every aspect of the application processes, specifically to procurement and supply chain. By doing so, it can help in tracking and analyzing transaction data, monitoring system performance, identifying security threa, and gaining visibility into operational inefficiencies. Moreover, Splunk provides the capability to proactively identify and resolve issues, optimize processes, and make data-driven decisions to improve overall efficiency and effectiveness.
One of the key features of Splunk is that it is comprised of several different applications. These apps essentially consist of a collection of files containing data inputs, UI elements, and knowledge objects. This flexibility with different apps allows for various use cases and user roles to coexist within a single Splunk instance.
Splunk typically retains logs for a period ranging from 90 to 390 days, depending on the data center and the specific index. This ensures that the data is accessible for analysis and reference within the desired timeframe.
The Splunk access URL is determined by the SAP Ariba component and data center.
List of all Splunk and Inspector Links for every component by datacenter
It is important to note that the access to Splunk is only possible with Safeguard account.
Key components of the Splunk platform
Indexer.
Processes machine data from any sourceParses data by an organized source type (index)This raw log data is broken up into single eventsEvents are stored by the index so they can be searchedRun the actual search done by user
Search Head
Allows users to use Splunk Search Processing Language (SPL) to search indexed dataDistributes the search to the IndexersExtracts field value pairs from events to the userCan extract additional fields (i.e. regex) or transform data (i.e. stats commands) for results before it is returned to end user without changing the underlying dataProvide tools for reports/dashboards/visualizations
Forwarder
Installed on servers where data originatesPrimary way data is supplied to indexers for indexing
Splunk’s Architecture
The Cloud Health 2.0 App
The Cloud Health 2.0 App is one of the key tool within the Splunk platform, utilized by various SAP Ariba teams for analyzing application log data. This app provides support and development teams with the capability to examine log data from any SAP Ariba component
One of the distinguishing features of the Cloud Health 2.0 App is its multitude of customized, pre-extracted and calculated fields, such as AribaThread, AribaPrealm, and Community. These fields are exclusively available within the Cloud Health 2.0 app knowledge object, enabling users to leverage them in search queries.
In addition to field extractions, the knowledge objects within the Cloud Health 2.0 App encompass lookups, fields, and alerts, providing a comprehensive toolkit for effective analysis and monitoring of log data.
The app’s value is underscored by the fact that utilizing these specific fields in the default search app of Splunk – the search and reporting app – yields no results unless the corresponding knowledge object exists within it.
Another benefit of the Cloud 2.0 app for users is that all dashboards and alert knowledge objects are shared across global data centers.
Main page
The opening of the cloud health signifies the importance of the application, which is prominently positioned at the top of the black Splunk menu bar. This feature is accessible from any Splunk application, providing users with ease of access. Within the aforementioned bar, users can find the application chooser, which allows for seamless switching between different apps. This centralized location serves as a convenient hub for app navigation.Furthermore, each application contains its own specific navigation features within the bar, ensuring a tailored user experience for each individual app.
If someone were to wish to run a simple, ad hoc search, they could do so by clicking on the search button. This action would subsequently open the search screen in a new tab, displaying a page with the desired results. Users can then input their search criteria into the search bar, beginning with “index equals,” followed by the specified index. In some cases, users may also be searching for a specific string of text.
Upon running the search and obtaining results, a bar chart depicting the event timeline will be displayed. This chart effectively illustrates the distribution of events across time intervals. The specific timing of these intervals will adjust dynamically depending on the length of the chosen time frame for the search.
Each individual result is considered an event, with different fields and values attributed to each one. For example, the “host” field is accompanied by a corresponding value. Additionally, there are various job functions located on the top right-hand side of the page.
Search example
The time zone displayed for specific events is based on user preferences and can be adjusted according to individual needs. To do so, simply click on your name, navigate to the preferences section, then select the global settings and change the time zone as desired. This allows users to ensure events and appointments are accurately reflected in their own local time.
Timezone
Search Assistant
The search assistant is a helpful tool that offers various selections and options for completing a search. Users have the ability to select a term from a list, continue typing, and choose between default, compact, or full view. To access or deactivate the search assistant, users must click on their name, navigate to preferences, select SPL editor, and then the search assistant.
Preferences
The compact mode provides command information as users type and displays the last five queries for quick selection. In full mode, the display provides more information and includes more text as well as examples. However, the choice of which view to use ultimately depends on the user’s preference.
Search Assistant Compact Mode
Search Assistant Full mode
The next topic for consideration is the selection of time in the Search feature. When it comes to selecting the time, there are several different options available. One option is to select the time from a time picker. Another option is that real-time search is only allowed for Power/Admin users. Additionally, time can be defined in the search query using various options such as “earliest” or “latest.” Time notation is also available, with “s” representing seconds, “m” representing minutes, “h” representing hours, “d” representing days, “w” representing weeks, “mon” representing months, and “y” representing years.
Selecting Time in Search
In order to view a specific subset of events using the search feature, users can click on a particular bar. This action filters the search results to display only the events related to the selected bar. To clear the filter, simply clicking on any part of the white space in the bar will remove it.
Search Example
Controlling the jobs allows for various options such as pausing a job while it is still running and stopping a job if needed. Additionally, the default duration for active search jobs is 10 minutes, but they can be shared with others via a URL that remains active for seven days. The search results can be downloaded in different formats such as CSV, JSON, XML, or raw text. There are three different search modes available: fast, which only returns default field data or any required fields for the search; verbose, which returns a large amount of data and may impact search performance if used for large queries; and smart, which recommends field discovery for searches and adds new fields if Splunk determines there is enough data to add them. The smart mode also does not provide event or field data for stats searches. Overall, these options provide flexibility and control in managing search jobs and their results.
Controlling Jobs
In order to access previous job and search history, users can click on the activity section and view jobs by the owner application or status. The search history can be found at the bottom of the search page, where users can expand and view their previous searches. This feature is particularly useful for users who may have forgotten to save a query they ran a few days ago. The search history page is designed to retain data for up to 30 days, allowing users to access any searches conducted within that timeframe.
History
Conclusion
Having finished the basic overview of the Splunk tool and its main features for SAP Ariba data analysis. On next parts will continue to dive to this tool and will talk about Dashboards and Alerts & Schedulated Reports. . The aim of this guide is to be helpful and aid in making comprehensive analysis of any Ariba issues on a daily basis. Should you have any questions or need further assistance, do not hesitate to reach out.
#splunk
Introduction Welcome to the comprehensive beginner’s guide on using Splunk for Data Analysis in SAP Ariba Application. This guide is divided into several parts, each providing detailed instructions for understanding the main features and functionality of the Splunk tool. Without further ado, let’s embark on the journey to enhance data analysis capabilities in SAP Ariba.What is the Splunk?Splunk is an essential data analysis tool that plays a crucial role in aggregating data for analysis and providing logs. Particularly for SAP Ariba, it allows the monitoring of every aspect of the application processes, specifically to procurement and supply chain. By doing so, it can help in tracking and analyzing transaction data, monitoring system performance, identifying security threa, and gaining visibility into operational inefficiencies. Moreover, Splunk provides the capability to proactively identify and resolve issues, optimize processes, and make data-driven decisions to improve overall efficiency and effectiveness.One of the key features of Splunk is that it is comprised of several different applications. These apps essentially consist of a collection of files containing data inputs, UI elements, and knowledge objects. This flexibility with different apps allows for various use cases and user roles to coexist within a single Splunk instance. Splunk typically retains logs for a period ranging from 90 to 390 days, depending on the data center and the specific index. This ensures that the data is accessible for analysis and reference within the desired timeframe.The Splunk access URL is determined by the SAP Ariba component and data center.List of all Splunk and Inspector Links for every component by datacenterIt is important to note that the access to Splunk is only possible with Safeguard account. Key components of the Splunk platformIndexer. Processes machine data from any sourceParses data by an organized source type (index)This raw log data is broken up into single eventsEvents are stored by the index so they can be searchedRun the actual search done by userSearch HeadAllows users to use Splunk Search Processing Language (SPL) to search indexed dataDistributes the search to the IndexersExtracts field value pairs from events to the userCan extract additional fields (i.e. regex) or transform data (i.e. stats commands) for results before it is returned to end user without changing the underlying dataProvide tools for reports/dashboards/visualizationsForwarderInstalled on servers where data originatesPrimary way data is supplied to indexers for indexingSplunk’s ArchitectureThe Cloud Health 2.0 AppThe Cloud Health 2.0 App is one of the key tool within the Splunk platform, utilized by various SAP Ariba teams for analyzing application log data. This app provides support and development teams with the capability to examine log data from any SAP Ariba componentOne of the distinguishing features of the Cloud Health 2.0 App is its multitude of customized, pre-extracted and calculated fields, such as AribaThread, AribaPrealm, and Community. These fields are exclusively available within the Cloud Health 2.0 app knowledge object, enabling users to leverage them in search queries.In addition to field extractions, the knowledge objects within the Cloud Health 2.0 App encompass lookups, fields, and alerts, providing a comprehensive toolkit for effective analysis and monitoring of log data.The app’s value is underscored by the fact that utilizing these specific fields in the default search app of Splunk – the search and reporting app – yields no results unless the corresponding knowledge object exists within it.Another benefit of the Cloud 2.0 app for users is that all dashboards and alert knowledge objects are shared across global data centers.Main pageThe opening of the cloud health signifies the importance of the application, which is prominently positioned at the top of the black Splunk menu bar. This feature is accessible from any Splunk application, providing users with ease of access. Within the aforementioned bar, users can find the application chooser, which allows for seamless switching between different apps. This centralized location serves as a convenient hub for app navigation.Furthermore, each application contains its own specific navigation features within the bar, ensuring a tailored user experience for each individual app.If someone were to wish to run a simple, ad hoc search, they could do so by clicking on the search button. This action would subsequently open the search screen in a new tab, displaying a page with the desired results. Users can then input their search criteria into the search bar, beginning with “index equals,” followed by the specified index. In some cases, users may also be searching for a specific string of text.Upon running the search and obtaining results, a bar chart depicting the event timeline will be displayed. This chart effectively illustrates the distribution of events across time intervals. The specific timing of these intervals will adjust dynamically depending on the length of the chosen time frame for the search.Each individual result is considered an event, with different fields and values attributed to each one. For example, the “host” field is accompanied by a corresponding value. Additionally, there are various job functions located on the top right-hand side of the page.Search exampleThe time zone displayed for specific events is based on user preferences and can be adjusted according to individual needs. To do so, simply click on your name, navigate to the preferences section, then select the global settings and change the time zone as desired. This allows users to ensure events and appointments are accurately reflected in their own local time.TimezoneSearch AssistantThe search assistant is a helpful tool that offers various selections and options for completing a search. Users have the ability to select a term from a list, continue typing, and choose between default, compact, or full view. To access or deactivate the search assistant, users must click on their name, navigate to preferences, select SPL editor, and then the search assistant.PreferencesThe compact mode provides command information as users type and displays the last five queries for quick selection. In full mode, the display provides more information and includes more text as well as examples. However, the choice of which view to use ultimately depends on the user’s preference.Search Assistant Compact ModeSearch Assistant Full modeThe next topic for consideration is the selection of time in the Search feature. When it comes to selecting the time, there are several different options available. One option is to select the time from a time picker. Another option is that real-time search is only allowed for Power/Admin users. Additionally, time can be defined in the search query using various options such as “earliest” or “latest.” Time notation is also available, with “s” representing seconds, “m” representing minutes, “h” representing hours, “d” representing days, “w” representing weeks, “mon” representing months, and “y” representing years. Selecting Time in Search In order to view a specific subset of events using the search feature, users can click on a particular bar. This action filters the search results to display only the events related to the selected bar. To clear the filter, simply clicking on any part of the white space in the bar will remove it.Search ExampleControlling the jobs allows for various options such as pausing a job while it is still running and stopping a job if needed. Additionally, the default duration for active search jobs is 10 minutes, but they can be shared with others via a URL that remains active for seven days. The search results can be downloaded in different formats such as CSV, JSON, XML, or raw text. There are three different search modes available: fast, which only returns default field data or any required fields for the search; verbose, which returns a large amount of data and may impact search performance if used for large queries; and smart, which recommends field discovery for searches and adds new fields if Splunk determines there is enough data to add them. The smart mode also does not provide event or field data for stats searches. Overall, these options provide flexibility and control in managing search jobs and their results. Controlling JobsIn order to access previous job and search history, users can click on the activity section and view jobs by the owner application or status. The search history can be found at the bottom of the search page, where users can expand and view their previous searches. This feature is particularly useful for users who may have forgotten to save a query they ran a few days ago. The search history page is designed to retain data for up to 30 days, allowing users to access any searches conducted within that timeframe.HistoryConclusionHaving finished the basic overview of the Splunk tool and its main features for SAP Ariba data analysis. On next parts will continue to dive to this tool and will talk about Dashboards and Alerts & Schedulated Reports. . The aim of this guide is to be helpful and aid in making comprehensive analysis of any Ariba issues on a daily basis. Should you have any questions or need further assistance, do not hesitate to reach out. #splunk Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
