Upon initial index of Service Now data, only records with the current date are being retrieved even though a specific date of a year ago is specified in the input.conf file. Looked in splunk_ta_snow_util.log file and error msg:
2016-03-24 07:24:51,088 ERROR pid=7016 tid=Thread-11 file=thread_pool.py:run:259 | Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\framework\thread_pool.py", line 257, in _run
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_job_factory.py", line 37, in __call_
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 106, in collect_data
self._write_checkpoint(table, timefield, jobjs, refreshed)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 232, in _write_checkpoint
latest_timestamp = jobjs[-1][timefield]
Edit the following url:
mysinstance.service-now.com with your service now instance name
cmdb_ci_list with the service now table you are trying to query
2000-01-01 with the actual date you want to query from
and paste it in your browser. You will be prompted to login, so make sure you do with the same username password you use in the Add-on setup.
Check the results for the following:
1- Do you get the historical data you expected to have?
2- Do you get sys_updated_on field returned in each event?
If not, this is a permission issue.
We have a similar issue in our environment where when I pasted the query in the browser I can see the records but am unable fetch them through a search query in the search head in Splunk...Can you please shred your thoughts on this..
Am also facing exactly same issue. In browser the query works fine for me and am able to see records but not in splunk the eventtype=snow_incident doesn't return any records. Please help if you have already fixed the issue.
Hi Surekha , this is how we fixed the issue : "we had to edit "change_request.sys_updated_on" in the location "%SplunkHome%\var\lib\splunk\modinputs" and change the date to the one from where we were missing the Change data through search query i.e from 08/25/2016, as it was holding the future date i.e 2017-09-03, files were not getting indexed.
The issue was caused when SNOW team had installed a plugin that generated bogus Change tickets with future time stamps... Also you can see the ta_snow logs for any other errors and let us know if this does not work.