All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk App & Add-on for ServiceNow: What configuration do I need to properly index "dv_*" fields from ServiceNow?

bwindham
Path Finder
‎08-08-2015 11:02 AM

I have the App for ServiceNow and ServiceNow Add-on working pretty well. Data is coming in. However, the servicenow data that is coming in is selective. There are additional fields in ServiceNow, for example, "dv_u_action" that give meaning to the "u_action" field that is being input. Without it, I have no idea what the field means. I realize I can create lookup tables, but this is one of many fields for example. Is there a way to modify the data input to include more fields?

0 Karma
Reply

splunk4now
Explorer
‎08-03-2017 12:19 PM

I too seem to have a similar issue in Add-on (Latest version 2.9.1) & Splunk 6.5.2. The source data stored within splunk and the URL for validation both contain all fields in the table, however the search results is not showing all fields (even after selecting all fields option). What should be done for SPLUNK to pick up all fields ?

0 Karma
Reply

splunk4now
Explorer
‎08-07-2017 03:47 AM

Found out the problem - What I had missed is the difference between index time and search time field extractions that's done by splunk. So if there are specific fields required then it has to be configured for extraction.

0 Karma
Reply

ehaddad_splunk
Splunk Employee
Splunk Employee
‎08-14-2015 02:25 PM

We automatically collect all fields that are part of the servicenow table the way they are exposed by the servicenow api. A good way to validate is to edit and paste the following url in your browser (firefox preferably)
https://yourinstance.service-now.com/youtablename.do?XML&sysparm_query=sys_updated_on%3E2014-06-14%2...
&sysparm_view=sys_updated_on&sysparm_limit=10
replace yourinstance and yourtablename with the right values.
You can see the fields exposed on that able. To enrich the data with more fields from other tables, you will need to run lookups.

0 Karma
Reply

corey_dick
Path Finder
‎01-12-2017 12:05 PM

The problem with the assertion that "We automatically collect all fields" is that the original Splunk for Service Now app communicated to ServiceNow in such a way that all the lookups that bwindham is mentioning were returned without any special work after implementing the app. This is actually my biggest reason for still using the old app since it returns the data in a useful way.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...