All Apps and Add-ons

Splunk App & Add-on for ServiceNow: What configuration do I need to properly index "dv_*" fields from ServiceNow?

bwindham
Path Finder

I have the App for ServiceNow and ServiceNow Add-on working pretty well. Data is coming in. However, the servicenow data that is coming in is selective. There are additional fields in ServiceNow, for example, "dv_u_action" that give meaning to the "u_action" field that is being input. Without it, I have no idea what the field means. I realize I can create lookup tables, but this is one of many fields for example. Is there a way to modify the data input to include more fields?

0 Karma

splunk4now
Explorer

I too seem to have a similar issue in Add-on (Latest version 2.9.1) & Splunk 6.5.2. The source data stored within splunk and the URL for validation both contain all fields in the table, however the search results is not showing all fields (even after selecting all fields option). What should be done for SPLUNK to pick up all fields ?

0 Karma

splunk4now
Explorer

Found out the problem - What I had missed is the difference between index time and search time field extractions that's done by splunk. So if there are specific fields required then it has to be configured for extraction.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

We automatically collect all fields that are part of the servicenow table the way they are exposed by the servicenow api. A good way to validate is to edit and paste the following url in your browser (firefox preferably)
https://yourinstance.service-now.com/youtablename.do?XML&sysparm_query=sys_updated_on%3E2014-06-14%2...
&sysparm_view=sys_updated_on&sysparm_limit=10
replace yourinstance and yourtablename with the right values.
You can see the fields exposed on that able. To enrich the data with more fields from other tables, you will need to run lookups.

0 Karma

corey_dick
Path Finder

The problem with the assertion that "We automatically collect all fields" is that the original Splunk for Service Now app communicated to ServiceNow in such a way that all the lookups that bwindham is mentioning were returned without any special work after implementing the app. This is actually my biggest reason for still using the old app since it returns the data in a useful way.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...