All Apps and Add-ons

Splunk App & Add-on for ServiceNow: What configuration do I need to properly index "dv_*" fields from ServiceNow?

bwindham
Path Finder

I have the App for ServiceNow and ServiceNow Add-on working pretty well. Data is coming in. However, the servicenow data that is coming in is selective. There are additional fields in ServiceNow, for example, "dv_u_action" that give meaning to the "u_action" field that is being input. Without it, I have no idea what the field means. I realize I can create lookup tables, but this is one of many fields for example. Is there a way to modify the data input to include more fields?

0 Karma

splunk4now
Explorer

I too seem to have a similar issue in Add-on (Latest version 2.9.1) & Splunk 6.5.2. The source data stored within splunk and the URL for validation both contain all fields in the table, however the search results is not showing all fields (even after selecting all fields option). What should be done for SPLUNK to pick up all fields ?

0 Karma

splunk4now
Explorer

Found out the problem - What I had missed is the difference between index time and search time field extractions that's done by splunk. So if there are specific fields required then it has to be configured for extraction.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

We automatically collect all fields that are part of the servicenow table the way they are exposed by the servicenow api. A good way to validate is to edit and paste the following url in your browser (firefox preferably)
https://yourinstance.service-now.com/youtablename.do?XML&sysparm_query=sys_updated_on%3E2014-06-14%2...
&sysparm_view=sys_updated_on&sysparm_limit=10
replace yourinstance and yourtablename with the right values.
You can see the fields exposed on that able. To enrich the data with more fields from other tables, you will need to run lookups.

0 Karma

corey_dick
Path Finder

The problem with the assertion that "We automatically collect all fields" is that the original Splunk for Service Now app communicated to ServiceNow in such a way that all the lookups that bwindham is mentioning were returned without any special work after implementing the app. This is actually my biggest reason for still using the old app since it returns the data in a useful way.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...