All Apps and Add-ons

Splunk App for Service Now not retrieving records prior to current date.

corosco112
New Member

Upon initial index of Service Now data, only records with the current date are being retrieved even though a specific date of a year ago is specified in the input.conf file. Looked in splunk_ta_snow_util.log file and error msg:

2016-03-24 07:24:51,088 ERROR pid=7016 tid=Thread-11 file=thread_pool.py:run:259 | Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\framework\thread_pool.py", line 257, in _run
func()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_job_factory.py", line 37, in __call
_
config.get("record_count", 10000))
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 106, in collect_data
self._write_checkpoint(table, timefield, jobjs, refreshed)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 232, in _write_checkpoint
latest_timestamp = jobjs[-1][timefield]
KeyError: u'sys_updated_on'

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,
Edit the following url:
https://mysinstance.service-now.com/cmdb_ci_list.do?JSONv2&sysparm_query=sys_created_on>=2000-01-01+...
mysinstance.service-now.com with your service now instance name
cmdb_ci_list with the service now table you are trying to query
2000-01-01 with the actual date you want to query from

and paste it in your browser. You will be prompted to login, so make sure you do with the same username password you use in the Add-on setup.

Check the results for the following:
1- Do you get the historical data you expected to have?
2- Do you get sys_updated_on field returned in each event?

If not, this is a permission issue.

corosco112
New Member

Ok I just entered the query and yes I did get the historical records and the sys_updated_on field in each event.

0 Karma

srikanth1213
Path Finder

We have a similar issue in our environment where when I pasted the query in the browser I can see the records but am unable fetch them through a search query in the search head in Splunk...Can you please shred your thoughts on this..

0 Karma

surekhasplunk
Communicator

Hi Srikanth1213,corosco112

Am also facing exactly same issue. In browser the query works fine for me and am able to see records but not in splunk the eventtype=snow_incident doesn't return any records. Please help if you have already fixed the issue.

0 Karma

srikanth1213
Path Finder

Hi Surekha , this is how we fixed the issue : "we had to edit "change_request.sys_updated_on" in the location "%SplunkHome%\var\lib\splunk\modinputs" and change the date to the one from where we were missing the Change data through search query i.e from 08/25/2016, as it was holding the future date i.e 2017-09-03, files were not getting indexed.
The issue was caused when SNOW team had installed a plugin that generated bogus Change tickets with future time stamps... Also you can see the ta_snow logs for any other errors and let us know if this does not work.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!