Deployment Architecture

ServiceNow - Clean Index and Download Data Again - Missing tables

kent_farries
Path Finder

I am stumped and not able to find a good solution. I would like to clean our index and download data again from ServiceNow. I don't care about any history that Splunk would have collected over the last year and need to start fresh for the ServiceNow application only.

Problem
Our production instance is not showing the correct data anymore.

Solution
We would like to reset our indexes and bring in the fresh/clean data

Issue
We are not able to fully clean our ServiceNow app and indexes. Only some of the data comes in after we do this on our test systems and the tables that are not default do not come in. One example is the task table.

What we know
When we do these steps we do not get all of the tables
1. Cleaning the Snow index. splunk.exe clean eventdata -index snow
2. Deleted the modinput\snow folder

When I do a clean install of Splunk and setup ServiceNow it works
1. Uninstall Splunk
2. Install Splunk
3. Setup ServiceNow app and TA with our custom configurations
4. Data comes in fine and dashboards work

Versions Tested
Splunk Add-on for ServiceNow - 2.9 & 2.8
Splunk App for ServiceNow - 4.0.1 & 4.0.0
Splunk Enterprise 6.4.2 running on Windows Server 2012 R2
ServiceNow Geneva Release

I must be missing something simple but I can’t seem to find it.

MuS
Legend

Hi kent_farries,

modular inputs create or use a checkpoint to make sure they don't indexer events twice, therefore you have to use splunk clean inputdata YourModularInputNameHere to remove those checkpoints as well.
See the docs for more details on clean inputdata http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands and see the docs here http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsCheckpoint about the modular input checkpoints.

Hope this helps ...

cheers, MuS

jkat54
SplunkTrust
SplunkTrust

Same user? Same permissions? Have you compared configs from before and after?

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...