Hi,
I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below. I got the records from the associated servicenow table.
Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:
2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sys...2020-07-20+15:13:56^ORDERBYsys_updated_on
I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?
Inputs.conf
[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on
Thx,
brdr
Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?
I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.