topic Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)? in All Apps and Add-ons

How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

mcappuccigeneia — Tue, 29 Sep 2020 21:14:24 GMT

I've recently installed the Splunk Add-on for ServiceNow(SNOW) on my instance and have seen success across all the default settings. The integration with our SNOW instance went off without a hitch, and the Configuration Management Database (CMDB) information is flowing through the sourcetypes, eventtypes and saved searches as intended.

However, we now have use cases for the database tables in SNOW that were not included in the default inputs that came out of the box with the Add-on.

From what I understand of the documentation, if I wanted to pull the database table for "cmdb_ci_win_server" into Splunk, I should just define the data input under Settings>Data Inputs>Splunk Addon for ServiceNow.

However, all my attempts so far have failed. New input definitions I've created within the WebUI don't populate into the local/inputs.conf file at all. And even when I define the new data input within local/inputs.conf, new sourcetypes or eventtypes are not created so I can't tell if the data is being pulled down or not.

Does anyone have any experience with introducing new database table inputs into Splunk for the Splunk Add-on for ServiceNow?

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

jrbanks6 — Tue, 29 Sep 2020 21:20:45 GMT

Add a stanza to the inputs.conf in $SPLUNK_/splunk/etc/apps/Splunk_TA_snow/local/inputs.conf

[snow://cmdb_ci_win_server]
disabled = false
index=main

restart the splunk HF

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

mcappuccigeneia — Wed, 07 Nov 2018 17:45:07 GMT

Sorry for the late reply, but your recommendation was effective and properly introduced the table into our Splunk Instance. Most of the tables we wanted to pull are now on-boarded.

The new interesting problem we have now is trying to filter certain events out of the tables when splunk indexes the data.
I was able to establish a single definition filter_data parameter within the inputs.conf, but my question now is if I can specify two seperate values under the same key.

Current Example.
[snow://sysevent]
disabled = 0
filter_data= name=login.failed

-This definition would filter the sysevent table to only include events with the name "login.failed".

What I want to know is how to filter so that I can grab all events with the names "login.failed" and "user.lockout".
Should I simply define another line altogether, or should simply define the it as:
filter_data = name=login.failed & name=user.lockout

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

jrbanks6 — Wed, 02 Jan 2019 16:15:28 GMT

Try the following:

[snow://sysevent]
disabled = 0
filter_data = name=login.failed, name=user.lockout

You may want to consider investigating whitelisting as well.....

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

mcappuccigeneia — Wed, 02 Jan 2019 18:31:44 GMT

My attempts to utilize comma separation to define two name=**** didn't yield the intended results, so I'm going to assume that we can't define multiple key/value pairs in the filter_data line.

But, were you referring to whitelisting from a Splunk perspective or from a ServiceNow perspective?

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

jrbanks6 — Wed, 02 Jan 2019 18:39:09 GMT

Splunk - However I am not finding a good example outside of Win event logs......

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

jrbanks6 — Wed, 02 Jan 2019 18:45:42 GMT

whitelist =

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

jrbanks6 — Wed, 02 Jan 2019 18:46:10 GMT

whitelist = your_custom regex

Re: How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

shandr — Fri, 19 Mar 2021 00:09:41 GMT

Seems for Logical AND operation you must use ampersand ("&"). Not a comma (","). Check for your TA version.
Refer to https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs