Archive

Splunk for ServiceNow app question

OldManEd
Builder

I've just loaded Splunk for ServiceNow and it's working fine. I can run queries and get data.

I do have one question. I'd like to run a search and collect data based on time stamps between 2 dates. I was trying to use "_encoded query" and although that filter function works fine, I can't figure out the format of the date inputs.

As an example, the search below works great;

|snow instance=<sn instance> request=<sn table name> action=query __encoded_query="name=<criteria 1>^ORname=<criteria 2>" | table sys_created_on, name, parm_A, param_B

But when I try to add a date parameter, nothing works;

|snow instance=<sn instance> request=<sn table name> action=query __encoded_query="name=<criteria 1>^ORname=<criteria 2>;sys_created_on>2014-04-18 13:15:00" | table sys_created_on, name, parm_A, param_B

I assume this is a ServiceNow issue but I'm looking for help configuring a Splunk search string.

~Ed

0 Karma
1 Solution

OldManEd
Builder

I ~think~ I got this one. I changed the search to the following;

|snow instance=<sn instance> request=<sn table name> action=query __encoded_query="name=<criteria 1>^ORname=<criteria 2>^sys_created_on > 2014-04-18 16:16:00" | table sys_created_on, name, parm1, parm2

And this seemed to work.

View solution in original post

0 Karma

OldManEd
Builder

I ~think~ I got this one. I changed the search to the following;

|snow instance=<sn instance> request=<sn table name> action=query __encoded_query="name=<criteria 1>^ORname=<criteria 2>^sys_created_on > 2014-04-18 16:16:00" | table sys_created_on, name, parm1, parm2

And this seemed to work.

View solution in original post

0 Karma