Re: How do you introduce new data inputs into the ...

mcappuccigeneia · ‎09-13-2018

I've recently installed the Splunk Add-on for ServiceNow(SNOW) on my instance and have seen success across all the default settings. The integration with our SNOW instance went off without a hitch, and the Configuration Management Database (CMDB) information is flowing through the sourcetypes, eventtypes and saved searches as intended.

However, we now have use cases for the database tables in SNOW that were not included in the default inputs that came out of the box with the Add-on.

From what I understand of the documentation, if I wanted to pull the database table for "cmdb_ci_win_server" into Splunk, I should just define the data input under Settings>Data Inputs>Splunk Addon for ServiceNow.

However, all my attempts so far have failed. New input definitions I've created within the WebUI don't populate into the local/inputs.conf file at all. And even when I define the new data input within local/inputs.conf, new sourcetypes or eventtypes are not created so I can't tell if the data is being pulled down or not.

Does anyone have any experience with introducing new database table inputs into Splunk for the Splunk Add-on for ServiceNow?

jrbanks6 · ‎09-20-2018

Add a stanza to the inputs.conf in $SPLUNK_/splunk/etc/apps/Splunk_TA_snow/local/inputs.conf

[snow://cmdb_ci_win_server]
disabled = false
index=main

restart the splunk HF

mcappuccigeneia · ‎11-07-2018

Sorry for the late reply, but your recommendation was effective and properly introduced the table into our Splunk Instance. Most of the tables we wanted to pull are now on-boarded.

The new interesting problem we have now is trying to filter certain events out of the tables when splunk indexes the data.
I was able to establish a single definition filter_data parameter within the inputs.conf, but my question now is if I can specify two seperate values under the same key.

Current Example.
[snow://sysevent]
disabled = 0
filter_data= name=login.failed

-This definition would filter the sysevent table to only include events with the name "login.failed".

What I want to know is how to filter so that I can grab all events with the names "login.failed" and "user.lockout".
Should I simply define another line altogether, or should simply define the it as:
filter_data = name=login.failed & name=user.lockout

jrbanks6 · ‎01-02-2019

Try the following:

[snow://sysevent]
disabled = 0
filter_data = name=login.failed, name=user.lockout

You may want to consider investigating whitelisting as well.....

mcappuccigeneia · ‎01-02-2019

My attempts to utilize comma separation to define two name=**** didn't yield the intended results, so I'm going to assume that we can't define multiple key/value pairs in the filter_data line.

But, were you referring to whitelisting from a Splunk perspective or from a ServiceNow perspective?

shandr · ‎03-18-2021

Seems for Logical AND operation you must use ampersand ("&"). Not a comma (","). Check for your TA version.
Refer to https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs

jrbanks6 · ‎01-02-2019

Splunk - However I am not finding a good example outside of Win event logs......

jrbanks6 · ‎01-02-2019

whitelist =

jrbanks6 · ‎01-02-2019

whitelist = your_custom regex

How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services