I have the App for ServiceNow and ServiceNow Add-on working pretty well. Data is coming in. However, the servicenow data that is coming in is selective. There are additional fields in ServiceNow, for example, "dv_u_action" that give meaning to the "u_action" field that is being input. Without it, I have no idea what the field means. I realize I can create lookup tables, but this is one of many fields for example. Is there a way to modify the data input to include more fields?
I too seem to have a similar issue in Add-on (Latest version 2.9.1) & Splunk 6.5.2. The source data stored within splunk and the URL for validation both contain all fields in the table, however the search results is not showing all fields (even after selecting all fields option). What should be done for SPLUNK to pick up all fields ?
Found out the problem - What I had missed is the difference between index time and search time field extractions that's done by splunk. So if there are specific fields required then it has to be configured for extraction.
We automatically collect all fields that are part of the servicenow table the way they are exposed by the servicenow api. A good way to validate is to edit and paste the following url in your browser (firefox preferably)
https://yourinstance.service-now.com/youtablename.do?XML&sysparm_query=sys_updated_on%3E2014-06-14%2...
&sysparm_view=sys_updated_on&sysparm_limit=10
replace yourinstance and yourtablename with the right values.
You can see the fields exposed on that able. To enrich the data with more fields from other tables, you will need to run lookups.
The problem with the assertion that "We automatically collect all fields" is that the original Splunk for Service Now app communicated to ServiceNow in such a way that all the lookups that bwindham is mentioning were returned without any special work after implementing the app. This is actually my biggest reason for still using the old app since it returns the data in a useful way.