All Apps and Add-ons

How do you introduce new data inputs into the Splunk Add-on for ServiceNow(SNOW)?

mcappuccigeneia
Explorer

I've recently installed the Splunk Add-on for ServiceNow(SNOW) on my instance and have seen success across all the default settings. The integration with our SNOW instance went off without a hitch, and the Configuration Management Database (CMDB) information is flowing through the sourcetypes, eventtypes and saved searches as intended.

However, we now have use cases for the database tables in SNOW that were not included in the default inputs that came out of the box with the Add-on.

From what I understand of the documentation, if I wanted to pull the database table for "cmdb_ci_win_server" into Splunk, I should just define the data input under Settings>Data Inputs>Splunk Addon for ServiceNow.

However, all my attempts so far have failed. New input definitions I've created within the WebUI don't populate into the local/inputs.conf file at all. And even when I define the new data input within local/inputs.conf, new sourcetypes or eventtypes are not created so I can't tell if the data is being pulled down or not.

Does anyone have any experience with introducing new database table inputs into Splunk for the Splunk Add-on for ServiceNow?

jrbanks6
Explorer

Add a stanza to the inputs.conf in $SPLUNK_/splunk/etc/apps/Splunk_TA_snow/local/inputs.conf

[snow://cmdb_ci_win_server]
disabled = false
index=main

restart the splunk HF

0 Karma

mcappuccigeneia
Explorer

Sorry for the late reply, but your recommendation was effective and properly introduced the table into our Splunk Instance. Most of the tables we wanted to pull are now on-boarded.

The new interesting problem we have now is trying to filter certain events out of the tables when splunk indexes the data.
I was able to establish a single definition filter_data parameter within the inputs.conf, but my question now is if I can specify two seperate values under the same key.

Current Example.
[snow://sysevent]
disabled = 0
filter_data= name=login.failed

-This definition would filter the sysevent table to only include events with the name "login.failed".

What I want to know is how to filter so that I can grab all events with the names "login.failed" and "user.lockout".
Should I simply define another line altogether, or should simply define the it as:
filter_data = name=login.failed & name=user.lockout

0 Karma

jrbanks6
Explorer

Try the following:

[snow://sysevent]
disabled = 0
filter_data = name=login.failed, name=user.lockout

You may want to consider investigating whitelisting as well.....

0 Karma

mcappuccigeneia
Explorer

My attempts to utilize comma separation to define two name=**** didn't yield the intended results, so I'm going to assume that we can't define multiple key/value pairs in the filter_data line.

But, were you referring to whitelisting from a Splunk perspective or from a ServiceNow perspective?

0 Karma

shandr
Path Finder

Seems for Logical AND operation you must use ampersand ("&"). Not a comma (","). Check for your TA version.
Refer to https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs

0 Karma

jrbanks6
Explorer

Splunk - However I am not finding a good example outside of Win event logs......

0 Karma

jrbanks6
Explorer

whitelist =

0 Karma

jrbanks6
Explorer

whitelist = your_custom regex

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...