Does anybody know what my inputs.conf setting for filter_data must look like for a key-value like below?
I cannot find any detailed documentation on filter_data. And see same error when I try to use URL encoding.
[snow://pa_job_logs4_javascript]
table = pa_job_logs
filter_data = run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months()
2021-03-31 18:04:32,776 ERROR pid=22626 tid=MainThread file=snow.py:_check_filter_data:74
| Got unexpected value run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months() of 'filter_data' field for input 'pa_job_logs4_javascript'. Enter filter parameters in key1=value1&key2=value2 format. You can either change it in inputs.conf file or edit 'Filter parameters' on Inputs page.
Above table filter seems to work with the REST API Explorer in Service Now, i.e. sysparm_query=run_time....
Is there some trick to simplify it? or a work-around?
Splunk Add-on for ServiceNow version 4.0.0
Splunk_TA_snow only accepts query parameters of the form key=value.
From Splunk_TA_snow/bin/snow.py:
def valid_filter_data_format(filter_data):
"""
Parses the filter_data string and returns True if the filter_data is of the format:
"key1=value1&key2=value2|key3=value3"
"""
filter_data_list = re.split(r'&|\|', filter_data)
for filter_data_value in filter_data_list:
try:
filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
except ValueError:
return False
else:
if any((not filter_key, not filter_value)):
return False
return True
This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.
ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...
In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.
Splunk_TA_snow only accepts query parameters of the form key=value.
From Splunk_TA_snow/bin/snow.py:
def valid_filter_data_format(filter_data):
"""
Parses the filter_data string and returns True if the filter_data is of the format:
"key1=value1&key2=value2|key3=value3"
"""
filter_data_list = re.split(r'&|\|', filter_data)
for filter_data_value in filter_data_list:
try:
filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
except ValueError:
return False
else:
if any((not filter_key, not filter_value)):
return False
return True
This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.
ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...
In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.