All Apps and Add-ons

ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group



I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below.  I got the records from the associated servicenow table.

Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:

2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 | start^ORDERBYsys_updated_on

I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?


since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on





Labels (1)
Tags (2)
0 Karma


Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?

I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...