Connect SAP with Splunk

Get complete Splunk visibility with Cenoti™. Illuminate your SAP data.

View on Splunkbase     Request a demo     Download Brochure


Cenoti is SAP certified



Eliminate your security blind spots

Managing SAP is complex. Correlating and identifying security and privacy is now made simpler with our pre-built alerting framework  delivered directly out of your SAP systems into your Splunk workspace.

Best-of-breed, enterprise security, and performance monitoring

World-class tools combined to drive business insight and allow your teams to easily manage and surface key alerts to act on. Get real-time visualization and insights across all your connected data sources using pre-delivered dashboards.





Unify your security approach

Traditionally, SAP security relies on teams of specialist engineers. However, their complexity and criticality to business operations often exceed the capacity of smaller technology teams.

Cenoti links SAP systems to Splunk, so you can manage your entire enterprise security monitoring via a single Splunk dashboard.

Why Cenoti?


Benefit from a fully certified and up-to-date solution

  • The SAP layer is installed via an SAP-certified Transport, and Cenoti also supports SAP S/4HANA
  • The Splunk layer is installed via a certified SplunkBase App that supports Enterprise Security




Get SAP data privacy insights in Splunk

  • Robust data access reporting comes as standard
  • Compliance standards PCI, HIPAA are supported out of the box
  • The SAP data is tagged with compliance metadata as it is being forwarded to Splunk
  • Detailed SAP server and instance performance metrics come as standard


Experience rapid system deployment

  • Transport is applied easily and quickly
  • Complete end-to-end installation and configuration takes less than ten days
  • Cenoti uses existing SAP configuration; minimal client-specific configuration is required
  • It’s a flexible solution; all SAP collectors are configurable and extensible to suit your business needs


Get a quick overview of Cenoti's features

  • 24+ SAP Data Forwarders intelligently powered by our proprietary SAP semantic model
  • Alerts integrated with Splunk Enterprise Security Models
  • 21+ Splunk Dashboards
  • 133+ Splunk Tiles
  • 34+ Splunk Searches with Alerts for Security, Operations and Business

Find a Splunkdashboard for your SAP® needs

SAP user operational dashboard on Splunk


  • SAP User Operational Overview
  • SAP User Activity Audit
  • SAP Alert Feed
  • SAP Data Access Report
  • SAP Change Report
  • SAP Environment Overview
  • SAP Instance Health
  • SAP Jobs Report

SAP change overview dashboard on Splunk


  • SAP Tcodes Report
  • SAP App Server Health
  • SAP Buffer Health
  • SAP Load Balancing Health
  • SAP Client Health
  • SAP Error Viewer
  • SAP DB Health
  • Large Object Viewer
  • Slow Statement Viewer

Out of the box connectors

Pre-delivered SAP collectors

The following connectors are delivered 'out of the box' with Cenoti. Our framework makes it simple to filter, extend or build additional connectors:

  • Security
  • Operational
  • Privacy
  • Data Management

Cenoti security collectors monitor critical configuration and sensitive changes

Name Technical Name Description
User authorization log (buffered data) AUTHLOG_BUF Buffered user authorization checks similar to what is shown in transaction SU53.
User authorization log (persistent data) AUTHLOG_LT Long-term, persistent user authorization checks.
Security audit log SECAUDLOG This collector lets you track the information in the security audit logs, that is normally accessible via transaction SM20.
User password status USERPWD The USERPWD collector lets you collect the data of the RSUSR200 report.

Cenoti operational collectors proactively send key metrics of your SAP systems performance to Splunk

Name Technical Name Description
ABAP Short Dump Analysis ABAP_DUMP ABAP runtime errors as tagged fields or in a full report, similar to that shown by transaction ST22.
SAP Application log monitor APPLOG Retrieves messages stored in the system's Application Log. The collected data is similar to that shown by transaction SLG1.
BW Process Chains monitor BW_PC Collects BW Process Chain meta-data and logs.
SAP transaction descriptions CODE_TXT Provides the text descriptions for SAP transaction codes (in all supported languages).
Enqueue (lock) monitoring ENQLOCK Provides a snapshot of current locks and their age.
IDOC data collector for control and segments IDOC_D The collector lets you collect IDoc status (changes of an IDoc over its lifecycle), control, and segment data, consisting of the data and structures that makes up each IDoc (as found in the control headers), allowing you to see which fields and types of data are sent/received with each IDoc.
Generic OData entities for extract from Fiori and other services ODATA_ENTITY Serves as  generic OData Service clients to collect data from third-party systems via OData API calls.

Cenoti privacy collectors highlight sensitive actions and events for correlation in Splunk

Name Technical Name Description
Managers and employees details with associated org information MGR_EMP Retrieves HR information for employees and lists managers along with the personnel numbers of the employees that report to them. You can use it to set up an org structure for your company.
Read access logging (RAL) for sensitive access RAL Retrieves logged user activity that was recorded by the Read Access Log mechanism.
SuccessFactors employee data (via Odata API) SF_EMPLOYEE Collects data from SuccessFactors entities via the OData API.

Cenoti collectors provide logging and critical content changes to sensitive tables you identify

Name Technical Name Description
SAP database table snapshots ANYTAB This collects data from any SAP table using a snapshot at the time of collection. Its selection options are similar to those in SE16.
Database system health and related information DB_INFO Data about your SAP system's databases, including a basic overview, the database's top tables and SQL statements, and information about database locks.
Table logging collector TABLOG This collector reads table log entries (for tables that have logging activated).