Possible Definitions for filter_data within inputs...

mcappuccigeneia · ‎12-31-2018

Within the inputs.conf file under the local directory of the Splunk Addon for ServiceNow, I know its possible to define CMDB tables that you want to pull into splunk.

I also know that by defining the an input with the context "filter_data = ", you can constrain the data being pulled according certain table elements/values.

I had previously set up my inputs.conf as such:

[snow://sysevent]
exclude = description
duration = 60
since_when = 2000-01-01 00:00:00
filter_data= name=login*

In an attempt to pull all events with the string "login" within the name field of the CMDB table "sysevent". Now this didn't work, but my question is if its possible to declare a wildcard catch all within the "filter_data" parameter, so that I can pull all the events I want but only those related to logins.

If not, is it possible to define multiple filter_data parameters so that I can define each event that I want by name?

max_weber · ‎07-19-2019

I made some progress:

In the file "snow_data_loader.py" located in your apps bin fodler, you can find the function "_get_uri" starting in line 231 i changed this part:

    241         if params:
    242             params = ("&sysparm_exclude_reference_link=true"
    243                       "&sysparm_query={}").format(params)

to something like this:

    242         if params:
    243             if (table == "change_task") or (table == "change_request"):
    244                 params = ("&sysparm_exclude_reference_link=true"
    245                       "&sysparm_query=u_change_ownerSTARTSWITHXYZ%5EORu_change_ownerSTARTSWITHABC%5EORu_ch        ange_ownerSTARTSWITHDEF%5E{}").format(params)
    246             else:
    247                 params = ("&sysparm_exclude_reference_link=true"
    248                       "&sysparm_query={}").format(params)

Of course you need to change the if statement accordingly to you specification. If I understood your request correct in your case it could look like this:

    242         if params:
    243             if (table == "sysevent"):
    244                 params = ("&sysparm_exclude_reference_link=true"
    245                       "&sysparm_query=nameSTARTSWITHlogin%5E{}").format(params)
    246             else:
    247                 params = ("&sysparm_exclude_reference_link=true"
    248                       "&sysparm_query={}").format(params)

I know that this is a highly unflexible and dirty workaround. But I needed a quick solution.
If you want a nicer one, you could at a new Input field to the Web-Interface configuration and follow the logic in the code, to add those new parameters to you URI.

I hope this helps.

Regards,

Max

max_weber · ‎07-19-2019

Hi,

I know this question was asked some time ago. But I am facing the same problem.
The "filter_data" is accepting one or multiple key-value pairs for input.

Unfortunately you cant work with the ServiceNow operators like "STARTSWITH" or "CONTAINS".
Furthermore the filter field are added like this:

u_change_owner.name=XYZ

/change_request?u_change_owner.name=XYZ&sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2019-07-19+08:56:33^ORDERBYsys_updated_on

To work correctly as a filter (at least like i would suspect) the better position would be in the sysparm_query like this:

/change_request?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=u_change_owner.name=XYZ^sys_updated_on>=2019-07-19+08:56:33^ORDERBYsys_updated_on

I would love to see an update supporting the filter options like STARTSWITH, IS, or CONTAINS from ServiceNow.
In the mean time I am trying to hack the python script 😉

Regards,

Max

Possible Definitions for filter_data within inputs.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!