Installing the LogServ App¶
This page covers installing the LogServ App (splunk_app_sap_logserv). For the Data TA installation, see Installing the Data TA.
Current release: AI Assistant LLM functionality intentionally disabled pending review
The current release of the LogServ App ships with the AI Assistant’s LLM-driven path disabled at compile time pending internal review. The published tarball is the templates-only build variant — there is no separate “regular” build. The predefined-prompt path + Splunk MCP Server integration + tool tiles + drill-down chips + audit log + 21 dashboards + the Environment Topology view are all fully active. The free-form chat input, the model picker, the Power Mode toggle, and the Provider Credentials Settings tab are all hidden. See Templates-only Build for the build mechanism.
About the LogServ App¶
The LogServ App provides:
- 21 React-based dashboards plus the Environment Topology view, organized as one top-level Environment Health landing page + four purpose-driven groups (Applications, Integration, Security, Platform). Built on
@splunk/react-ui+@splunk/visualizations+@xyflow/react. See Dashboards Overview. - Built-in AI Assistant chat panel — predefined prompts + Splunk MCP integration + audit log. (LLM-driven path disabled in the current release; canned-prompt path active.) See AI Assistant Overview.
- Search-time field extractions for all SAP-specific sourcetypes (~176 directives across EXTRACT, EVAL, FIELDALIAS).
- The
sap_logserv_idx_macromacro for searching the LogServ index. - Built-in Download PNG button on every dashboard for
html2canvas-based full-canvas image export. - Per-dashboard auto-refresh picker (Never / 30s / 1m / 5m / 15m / 30m / 1hr) with per-user-per-dashboard cadence persisted via Splunk KV Store.
The LogServ App contains no Python code, no REST handlers, and no data collection components. It is a React-based app focused entirely on the search-time experience and AI Assistant chat surface.
High Level Steps¶
Below are the high level steps for installing the LogServ App. Follow them in order.
Steps 4 and 5 are alternative paths — complete the one that matches your Splunk environment.
- Identify where to install the LogServ App based on your topology
- Install the Splunk MCP Server prerequisite (for AI Assistant)
- Download the LogServ App
- Install the LogServ App in Splunk Cloud (if applicable)
- Install the LogServ App in Splunk Enterprise (if applicable)
- Verify the installation
- Update the index macro (if using a custom index name)
1. Where to install¶
| Your Topology | Install the LogServ App On |
|---|---|
| Single instance | The single Splunk instance (alongside the Data TA) |
| Distributed with on-prem SH | The Search Head only |
| Distributed with Splunk Cloud | The Splunk Cloud Search Head only |
Important
- The LogServ App is never installed on Heavy Forwarders or the Deployment Server.
- For single-instance deployments, install both the Data TA and the LogServ App on the same instance. Splunk merges their configurations at runtime.
2. Install the Splunk MCP Server prerequisite¶
The AI Assistant requires the Splunk MCP Server (Splunkbase App 7931) v1.1.0 or later, installed on the same Search Head as the LogServ App. Install it via Splunk Web (Apps → Install app from file) or via CLI:
/opt/splunk/bin/splunk install app /path/to/splunk-mcp-server.tar.gz
After install, restart Splunkd. Cookie auth from the same Splunk Web session works by default; no bearer token configuration required for HTTP-only Splunk. See Splunk MCP Setup for full configuration including the optional bearer token for OAuth-strict environments.
Current release: no AI provider credentials needed
Even with the LLM-driven path disabled, the AI Assistant’s predefined-prompt path requires the Splunk MCP Server to dispatch saved searches. Install the MCP Server. Do not configure any AI provider credential (Anthropic / OpenAI / Azure / Bedrock) — they are not used in the current release and their Settings tab is hidden.
3. Download the LogServ App¶
Download splunk_app_sap_logserv-0.0.6.0.tar.gz from the GitHub repository.
The published tarball is the templates-only build variant (LLM-driven path disabled at compile time pending review). There is no separate “regular” tarball published in the current release.
4. Install in Splunk Cloud¶
Install the LogServ App to your Splunk Cloud Search Head:
Note
The app installation workflow available to you in Splunk Web depends on your Splunk Cloud Platform Experience: Victoria or Classic. To find your Splunk Cloud Platform Experience, in Splunk Web, click Support & Services > About.
Classic Experience¶
Victoria Experience¶
5. Install in Splunk Enterprise¶
Install the LogServ App to your Splunk Enterprise Search Head:
5.a From the Splunk Web home screen, click the gear icon next to Apps.
5.b Click Install app from file.
5.c Locate the downloaded splunk_app_sap_logserv-0.0.6.0.tar.gz file and click Upload.
5.d If Splunk Enterprise prompts you to restart, do so.
5.e Verify that the app appears in the list of apps. You can also find it on the server at $SPLUNK_HOME/etc/apps/splunk_app_sap_logserv.
6. Verify installation¶
After installation, navigate to the LogServ App in Splunk Web. You should see the navigation bar with:
- Environment Health (default landing page — cross-cutting operations view)
- Topology (graph-based Environment Topology view)
- Applications dropdown (5 dashboards: ABAP Network & Security, ABAP Operations, Work Process Performance, HANA Audit, HANA Trace)
- Integration dropdown (5 dashboards: SAP Services, SAP Router, Cloud Connector, Web Dispatcher, Web and API Performance)
- Security dropdown (3 dashboards: Network Perimeter, Cross-Stack Authentication, Change & Configuration Activity)
- Platform dropdown (6 dashboards: Data Pipeline Overview, DNS Analytics, Linux, Windows, Proxy, Host Details)
✦ AI Assistantbutton in the top-right of the nav bar (clicking it opens the chat panel)
If the dashboards show no data, verify that:
6.a The Data TA is installed and collecting data on your Heavy Forwarders (or single instance)
6.b The sap_logserv_idx_macro resolves to the correct index name
6.c Events exist in the index: run `sap_logserv_idx_macro` | stats count by sourcetype in the Search app
6.d If the AI Assistant button shows a setup wizard instead of an empty chat panel, the Splunk MCP Server prerequisite isn’t healthy — re-check the install in Step 2.
7. Update the index macro¶
If you used a custom index name (not sap_logserv_logs), update the macro:
7.a In Splunk Web, go to Settings > Advanced search > Search macros
7.b Set the app context to Splunk App for SAP LogServ
7.c Find sap_logserv_idx_macro and update its definition to index=<your_index_name>
High-volume installs: seed dashboard history
The dashboards read from an hourly KV-Store rollup layer for performance. On a large environment, run the one-time backfill so dashboards show history immediately: open Settings → Dashboard Data and click Run backfill. Without it, rolled-up panels fill in one hour at a time from the next hourly aggregation. See Dashboard Performance & Data Freshness.
Next Steps¶
- Explore the Dashboards Overview to learn about the available dashboards
- Read AI Assistant Overview to understand the chat panel + predefined-prompt path
- If you haven’t yet, complete the AWS Setup Guide to configure data collection