All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group

brdr
Contributor
‎07-21-2020 07:17 AM

Hi,

I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below.  I got the records from the associated servicenow table.

Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:

2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sys...2020-07-20+15:13:56^ORDERBYsys_updated_on

I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?

Inputs.conf

[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on

 

Thx,

brdr

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

kdroddy
Explorer
‎07-25-2020 10:46 AM

Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?

I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...