All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group

brdr
Contributor
‎07-21-2020 07:17 AM

Hi,

I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below.  I got the records from the associated servicenow table.

Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:

2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sys...2020-07-20+15:13:56^ORDERBYsys_updated_on

I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?

Inputs.conf

[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on

 

Thx,

brdr

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

kdroddy
Explorer
‎07-25-2020 10:46 AM

Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?

I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...