All Apps and Add-ons

Not getting service now incident data to splunk

vrmandadi
Builder

I am unable to see the incident logs in service now which are under sourcetype=snow:incident . I am able to see all other sourcetypes like snow:cmdb , snow:em_event , snow:sys_user_list ,snow:problem etc but not the incident data .I checked the internal logs and I see the below error

2019-09-26 14:45:28,749 ERROR pid=39335 tid=Thread-1 file=snow_data_loader.py:_do_collect:168 | Failed to connect https://lxxxuw.service-now.com/api/now/table/sysevent?sysparm_display_value=all&sysparm_limit=1000&s..., reason=Forbidden

2019-09-26 14:49:00,753 ERROR pid=116355 tid=Thread-16 file=snow_data_loader.py:collect_data:137 | Failed to get records from https://luxxuw.service-now.com/cmdb_rel_ci

2019-09-26 14:48:59,895 ERROR pid=36342 tid=Thread-13 file=thread_pool.py:run:259 | Traceback (most recent call last):
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/framework/thread_pool.py", line 257, in _run
func()
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_job_factory.py", line 38, in __call
_
sc.DEFAULT_RECORD_LIMIT))
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 126, in collect_data
jobjs = self.json_to_objects(content)
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 177, in _json_to_objects
return json.loads(json_str)
File "/opt/splunk/lib/python2.7/json/
init_.py", line 339, in loads
return _default_decoder.decode(s)
File "/opt/splunk/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/splunk/lib/python2.7/json/decoder.py", line 380, in raw_decode
obj, end = self.scan_once(s, idx)
ValueError: Expecting : delimiter: line 1 column 4396952 (char 4396951

What changes should i make .Please suggest and thanks in advance

0 Karma

bandit
Motivator

What stands out to me is "reason=Forbidden" likely indicating the account being used does not have the appropriate table access in ServiceNow. I would reach out to your ServiceNow admin to verify.

0 Karma

vrmandadi
Builder

@rob_jordan thank you for your response. What table in specific ,is that the same table that has the incident data?

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...