topic Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete" in Splunk Search

Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kanahayashi — Wed, 30 Sep 2020 04:32:44 GMT

Hello.
Please help me....
I failed to get the table "sys_audit_delete" via Splunk Add-on for ServiceNow.
I succeeded in getting "sysevent"and"sys_update_xml".

I found the following error in "splunk_ta_snow_main.log"
What kind of error is this? （SSLError: ('The read operation timed out',)）
What should I do ？

===================================================================================================================================
2020-03-10 12:03:18,680 ERROR pid=2056 tid=Thread-23 file=snow_data_loader.py:do_collect:177 | Failure occurred while connecting to https://●●●●●●.service-now.com/api/now/table/sys_audit_delete?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-02-25+00:00:00^ORDERBYsys_updated_on. The reason for failure=Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 169, in _do_collect
"Authorization": "Basic %s" % credentials
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 2135, in request
cachekey,
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 1796, in _request
conn, request_uri, method, body, headers
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init_.py", line 1737, in _conn_request
response = conn.getresponse()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1121, in getresponse
response.begin()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 438, in begin
version, status, reason = self._read_status()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 394, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "C:\Program Files\Splunk\Python-2.7\Lib\socket.py", line 480, in readline
data = self._sock.recv(self._rbufsize)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 772, in recv
return self.read(buflen)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 659, in read
v = self._sslobj.read(len)
SSLError: ('The read operation timed out',)
.

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kanahayashi — Thu, 12 Mar 2020 03:15:48 GMT

By the way, inputs.conf is the following content.

[snow]
index = ●●●
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id

[snow://sys_audit_delete]
disabled = false
timefield =  sys_updated_on
table = sys_audit_delete
duration = 120
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sys_update_xml]
disabled = false
timefield = sys_created_on
table = sys_update_xml
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

xavierashe — Thu, 12 Mar 2020 03:56:33 GMT

I am guessing it's a permissions issue. I looked over the last 90 days and I am getting an occasional SSLError: ('_ssl.c:725: The handshake operation timed out',) but not SSLError: ('The read operation timed out',)

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kanahayashi — Thu, 12 Mar 2020 05:27:58 GMT

Thank you for your answer.
I thought it was a permission issue, but the snow ID for Splunk is a privileged ID.(”admin” ”security admin”)
If there is anything else, please give me a professor.

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

xavierashe — Thu, 12 Mar 2020 12:56:25 GMT

Hmm... my inputs.conf is much more basic

[snow://sys_audit]
disabled = 0
index = snow

[snow://sys_audit_delete]
disabled = 0
index = snow

[snow://sys_choice]
disabled = 0
index = snow

[snow://sys_user]
disabled = 0
index = snow

[snow://sys_user_group]
disabled = 0
index = snow

[snow://sysevent]
disabled = 0
index = snow

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kdroddy — Wed, 30 Sep 2020 04:35:14 GMT

Hi,

Are you successfully grabbing data from your other inputs (sysevent & sys_update_xml) using the same 'snow_account'?

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kanahayashi — Wed, 30 Sep 2020 04:39:28 GMT

Hello.
Yes,I was able to get two tables.
I guess I found out why it failed.
It seems to be a problem with the timefield(sys_updated_on).
The data in sys_audit_delete on SNOW are indexed by creation date.
So,serch timed out.
I will rewrite timefield = sys_created_on and try.

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kdroddy — Tue, 24 Mar 2020 19:07:45 GMT

How did your test go?

Re: Splunk Add-on for ServiceNow：about the table "sys_audit_delete"

kanahayashi — Thu, 26 Mar 2020 06:50:02 GMT

Hello,
today,I succeeded in the test.
Just as expected, I was misunderstanding about timefield.