All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ServiceNow TA inputs filter not working as expected

sylim_splunk
Splunk Employee
Splunk Employee
‎05-22-2020 09:15 AM

We are trying to setup a sysevent filter for the name attributre. We have more than 1 name attribute and have setup the filter like this:
filter_data = name=login&name=logout&name=login.failed&name=impersonation.start&name=impersonation.end&name=security.elevated_role.enabled&name=security.elevated_role.disabled

But, it doesn't work as expected.

The issue we saw appears to be that you can’t specify multiple values for the same column name using the &. So name=login&parm1=myid works but name=login&name=logout (repeating the same column multiple times) does not. The url would need to specify a list of values for the name column instead of repeating it.

What is the proper syntax for adding the filters?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎05-22-2020 09:22 AM

As of this writing, the filter implementation only support "&(AND)" operator and no OR. This poses a limit in various use-cases.

According to the doc, https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs which gives us hints that it accepts different key names in the filter.
{ Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter. }

You may want to share your ideas and concerns via https://ideas.splunk.com .
Hope it helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎05-22-2020 09:22 AM

As of this writing, the filter implementation only support "&(AND)" operator and no OR. This poses a limit in various use-cases.

According to the doc, https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs which gives us hints that it accepts different key names in the filter.
{ Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter. }

You may want to share your ideas and concerns via https://ideas.splunk.com .
Hope it helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...