All Apps and Add-ons

Not getting service now incident data to splunk

vrmandadi
Builder

I am unable to see the incident logs in service now which are under sourcetype=snow:incident . I am able to see all other sourcetypes like snow:cmdb , snow:em_event , snow:sys_user_list ,snow:problem etc but not the incident data .I checked the internal logs and I see the below error

2019-09-26 14:45:28,749 ERROR pid=39335 tid=Thread-1 file=snow_data_loader.py:_do_collect:168 | Failed to connect https://lxxxuw.service-now.com/api/now/table/sysevent?sysparm_display_value=all&sysparm_limit=1000&s..., reason=Forbidden

2019-09-26 14:49:00,753 ERROR pid=116355 tid=Thread-16 file=snow_data_loader.py:collect_data:137 | Failed to get records from https://luxxuw.service-now.com/cmdb_rel_ci

2019-09-26 14:48:59,895 ERROR pid=36342 tid=Thread-13 file=thread_pool.py:run:259 | Traceback (most recent call last):
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/framework/thread_pool.py", line 257, in _run
func()
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_job_factory.py", line 38, in __call
_
sc.DEFAULT_RECORD_LIMIT))
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 126, in collect_data
jobjs = self.json_to_objects(content)
File "/apps/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 177, in _json_to_objects
return json.loads(json_str)
File "/opt/splunk/lib/python2.7/json/
init_.py", line 339, in loads
return _default_decoder.decode(s)
File "/opt/splunk/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/splunk/lib/python2.7/json/decoder.py", line 380, in raw_decode
obj, end = self.scan_once(s, idx)
ValueError: Expecting : delimiter: line 1 column 4396952 (char 4396951

What changes should i make .Please suggest and thanks in advance

0 Karma

bandit
Motivator

What stands out to me is "reason=Forbidden" likely indicating the account being used does not have the appropriate table access in ServiceNow. I would reach out to your ServiceNow admin to verify.

0 Karma

vrmandadi
Builder

@rob_jordan thank you for your response. What table in specific ,is that the same table that has the incident data?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...