All Apps and Add-ons

What index(es) should the Splunk App for ServiceNow place its data in?

wegscd
Contributor

I just installed the Splunk Add-on for ServiceNow 2.7.0, and the Splunk App for ServiceNow 4.0.0 on a test bed.

We're behind a proxy. I configured the credentials in the TA, and set up the proxy settings.

I went to configure the inputs from the Splunk App for ServiceNow applications, and it fails with credentials failures; I think it's because the Splunk App for ServiceNow does not know about the proxy when it's verifying credentials. In any case, I decided to just configure the credentials directly in the TA and enable them there.

The inputs for the TA are all set up to go to index 'main'. If I had been able to use the Splunk App for ServiceNow to set up the inputs, would it be wanting to plop the data down in indexes created by that app?

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Great question. The inclusion of the indexes.conf in the app is a known issue -- it was there in the unsupported version and kept for backward compatibility, but the app does not concern itself with indexes. In a fresh install, please remove the indexes.conf. If you want your data to go to any indexes other than main, you can configure that through the TA.

View solution in original post

milesbrennan
Path Finder

I've never had the option via web configuration of Service-Now app or add-on to set the "index" or "host" values, they just aren't available. I so I edit the config file manually; which is a bit silly, considering you really want to declare these two values before to start migrating / indexing data into your environment.

To do it manually, edit the config file: /opt/splunk/etc/apps/Splunk_TA_snow/local/inputs.conf

[snow]                   <-- global stanza
index = snow
duration = 300
host = service-now.com
timefield = sys_updated_on
since_when = 2000-01-01 00:00:00

[snow://change_request]
disabled = 0

[snow://em_event]
disabled = 0
timefield = time_of_event

Etc... for remaining stanzas

Then just restart the service to load the new settings.

See the add-on documentation for further details: http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Configureinputs

0 Karma

anevinsuhas
New Member

these changes are done in SH or HF? in our case the app and add on is installed in SH, but these changes in SH does not work.

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Great question. The inclusion of the indexes.conf in the app is a known issue -- it was there in the unsupported version and kept for backward compatibility, but the app does not concern itself with indexes. In a fresh install, please remove the indexes.conf. If you want your data to go to any indexes other than main, you can configure that through the TA.

anevinsuhas
New Member

these changes are done in SH or HF? in our case the app and add on is installed in SH, but these changes in SH does not work.

0 Karma

wegscd
Contributor

cool. so when I go to production, I can put the events in any index I want, I just need to fix up the inputs before enabling them?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Yes. You can do this in a local copy of the inputs.conf file in the global stanza at the top, or in Settings > Data Inputs > Splunk Add-on for ServiceNow, by clicking open each database table name and configuring your index of choice under "More settings."

wegscd
Contributor

thank you very much.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...