All Apps and Add-ons

ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group

brdr
Contributor

Hi,

I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below.  I got the records from the associated servicenow table.

Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:

2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sys...2020-07-20+15:13:56^ORDERBYsys_updated_on

I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?

Inputs.conf

[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on

 

Thx,

brdr

 

Labels (1)
Tags (2)
0 Karma

kdroddy
Explorer

Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?

I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...