All Apps and Add-ons

Splunk Add-on for ServiceNow:about the table to get (inputs.conf)

kanahayashi
Explorer

Hello,I will post for the first time.
Please tell me about the table to get from ServiceNow using addon.
I want to import "sys_update_xml" via Addon,what should I do?
"sys_update_xml"is not listed by default in inputs.conf.

By the way,the following 3tables I want to import.
sysevent
sys_audit_delete
sys_update_xml

The following content will be placed in the pass.
Do I have to get [snow]?
pass: $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local
file: inputs.conf

[snow]
index = main
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id

[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account =
since_when =2000-01-01 00:00:00

[snow://sys_audit_delete]
disabled = false
timefield = sys_updated_on
table = sys_audit_delete
duration = 60
account =  
since_when = 2000-01-01 00:00:00

0 Karma
1 Solution

kdroddy
Explorer

You can either add your own entry into the inputs.conf file for each table you want to retrieve, or simply add it under the 'Inputs' tab of the app within Splunk.

View solution in original post

0 Karma

kdroddy
Explorer

You can either add your own entry into the inputs.conf file for each table you want to retrieve, or simply add it under the 'Inputs' tab of the app within Splunk.

0 Karma

kanahayashi
Explorer

Thank you for your answer!
Sorry...I don't understand how to entry into the inputs.conf file for "sys_update_xml".
Because the default inputs.conf file has no "sys_update_xml" stanza.

Pass:$SPLUNK_HOME/etc/apps/Splunk_TA_snow/local
↓ default inputs.conf file
[snow]
index = main
timefield = sys_updated_on
exclude =
disabled = true
interval = 60
start_by_shell = false
id_field = sys_id
filter_data =
python.version = python3

[snow://incident]
exclude = description
table = incident
duration = 60

[snow://problem]
exclude = description
table = problem
duration = 60

[snow://em_event]
timefield = time_of_event
table = em_event
duration = 60

[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
table = sys_user_group
duration = 60

[snow://sys_user]
since_when = 2000-01-01 00:00:00
table = sys_user
duration = 60

[snow://change_task]
table = change_task
duration = 60

[snow://change_request]
table = change_request
duration = 60

[snow://cmn_location]
since_when = 2000-01-01 00:00:00
table = cmn_location
duration = 60

[snow://cmdb]
since_when = 2000-01-01 00:00:00
table = cmdb
duration = 60

[snow://cmdb_ci]
since_when = 2000-01-01 00:00:00
table = cmdb_ci
duration = 60

[snow://cmdb_ci_server]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_server
duration = 60

[snow://cmdb_ci_vm]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_vm
duration = 60

[snow://cmdb_ci_infra_service]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_infra_service
duration = 60

[snow://cmdb_ci_db_instance]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_db_instance
duration = 60

[snow://cmdb_ci_app_server]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_app_server
duration = 60

[snow://cmdb_ci_service]
since_when = 2000-01-01 00:00:00
table = cmdb_ci_service
duration = 60

[snow://cmdb_rel_ci]
since_when = 2000-01-01 00:00:00
table = cmdb_rel_ci
duration = 60

[snow://sys_choice]
since_when = 2000-01-01 00:00:00
table = sys_choice
duration = 60

[snow://sysevent]
timefield = sys_created_on
table = sysevent
duration = 60

[snow://syslog]
timefield = sys_created_on
table = syslog
duration = 60

[snow://syslog_transaction]
timefield = sys_created_on
table = syslog_transaction
duration = 60

[snow://sys_audit]
timefield = sys_created_on
table = sys_audit
duration = 60

[snow://sys_audit_delete]
since_when = 2000-01-01 00:00:00
table = sys_audit_delete
duration = 60

0 Karma

kdroddy
Explorer

Hey, in this case you can just add sys_update_xml as an entry in the inputs.conf file yourself. Make a new stanza and fill in whichever fields you need for it:

[snow://sys_update_xml]
timefield = sys_created_on
table = sys_update_xml
duration = 60
etc..

0 Karma

kanahayashi
Explorer

I appreciate your cooperation. I understand. I want to try it.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...