How do I configure Splunk App for ServiceNow to re...

davebo1896 · ‎01-23-2017

I altered the Splunk Add-on for ServiceNow to put data in index=snow instead of index=main.
How do I configure Splunk App for ServiceNow to search index=snow ?

nmohammed · ‎01-23-2017

Hi Davebo,

Is your add-on and app on the same Splunk instance ? If so , then do not run set-up to configure the add-on to enable the inputs , instead setup the servicenow App to collect data directly which will enable the inputs on app and they get saved in servicenowapp/local/inputs .conf. Then change the index=main to index=snow in inputs.conf, followed by restart of splunk .

refer to this page - http://docs.splunk.com/Documentation/ServiceNow/4.0.3/Install/Setuptheapp

davebo1896 · ‎01-24-2017

Why am I getting errors about a non-existent index?
index=snow_cmdb_ci_list_index

nmohammed · ‎01-24-2017

Is your Splunk setup standalone or clustered ?

if you're going to install the TA and App on the same instance then.. you just need to install the TA first , but skip the configure step. and then configure the app to pull data from ServiceNow rather.

But since you've already configured the TA with inputs and updated the inputs.conf with index=snow, then it has to be allowed to search.

servicenow TA creates some indexes as part of the installation, You should add these indexes to your main indexes.conf file with reference to Primary volume -

snow is index I created. the rest were created by the TA and would through errors, for not referencing the primary volume. So I added it to the master indexes. conf file.

example -

[snow]
homePath = volume:primary/snow/db
coldPath = volume:primary/snow/colddb
thawedPath = $SPLUNK_DB/snow/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000

[snow_sys_user_group_list_index]
homePath = volume:primary/snow_sys_user_group_list_index/db
coldPath = volume:primary/snow_sys_user_group_list_index/colddb
thawedPath = $SPLUNK_DB/snow_sys_user_group_list_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000

[snow_cmdb_ci_list_index]
homePath = volume:primary/snow_cmdb_ci_list_index/db
coldPath = volume:primary/snow_cmdb_ci_list_index/colddb
thawedPath = $SPLUNK_DB/snow_cmdb_ci_list_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000

[snow_incident_state_index]
homePath = volume:primary/snow_incident_state_index/db
coldPath = volume:primary/snow_incident_state_index/colddb
thawedPath = $SPLUNK_DB/snow_incident_state_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000

davebo1896 · ‎01-24-2017

I don't see service_now_app/local/inputs .conf after configuring. There is Splunk_TA_snow/local/inputs.conf . Is that what you mean?

davebo1896 · ‎01-24-2017

If I understand this correctly. It is Splunk_TA_snow/local/inputs.conf
and it needs to be set up prior to configuring the connection via the UI:

[snow]
index = snow
since_when = 2017-01-01 00:00:00

It also appears that this index has to be set as "allowed" and "search by default" for the role that will be accessing this app as the index is not specified in a macro.

davebo1896 · ‎01-24-2017

Do I need to install the TA if it is all on one host?

How do I configure Splunk App for ServiceNow to read from a custom index?

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How do I configure Splunk App for ServiceNow to read from a custom index?

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!