All Apps and Add-ons

Not getting service now incident data to splunk


I am unable to see the incident logs in service now which are under sourcetype=snow:incident . I am able to see all other sourcetypes like snow:cmdb , snow:em_event , snow:sys_user_list ,snow:problem etc but not the incident data .I checked the internal logs and I see the below error

2019-09-26 14:45:28,749 ERROR pid=39335 tid=Thread-1 | Failed to connect, reason=Forbidden

2019-09-26 14:49:00,753 ERROR pid=116355 tid=Thread-16 | Failed to get records from

2019-09-26 14:48:59,895 ERROR pid=36342 tid=Thread-13 | Traceback (most recent call last):
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/framework/", line 257, in _run
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/", line 38, in __call
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/", line 126, in collect_data
jobjs = self.json_to_objects(content)
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/", line 177, in _json_to_objects
return json.loads(json_str)
File "/opt/splunk/lib/python2.7/json/", line 339, in loads
return _default_decoder.decode(s)
File "/opt/splunk/lib/python2.7/json/", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/splunk/lib/python2.7/json/", line 380, in raw_decode
obj, end = self.scan_once(s, idx)
ValueError: Expecting : delimiter: line 1 column 4396952 (char 4396951

What changes should i make .Please suggest and thanks in advance

0 Karma


What stands out to me is "reason=Forbidden" likely indicating the account being used does not have the appropriate table access in ServiceNow. I would reach out to your ServiceNow admin to verify.

0 Karma


@rob_jordan thank you for your response. What table in specific ,is that the same table that has the incident data?

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...