Deployment Architecture

ServiceNow - Clean Index and Download Data Again - Missing tables

kent_farries
Path Finder

I am stumped and not able to find a good solution. I would like to clean our index and download data again from ServiceNow. I don't care about any history that Splunk would have collected over the last year and need to start fresh for the ServiceNow application only.

Problem
Our production instance is not showing the correct data anymore.

Solution
We would like to reset our indexes and bring in the fresh/clean data

Issue
We are not able to fully clean our ServiceNow app and indexes. Only some of the data comes in after we do this on our test systems and the tables that are not default do not come in. One example is the task table.

What we know
When we do these steps we do not get all of the tables
1. Cleaning the Snow index. splunk.exe clean eventdata -index snow
2. Deleted the modinput\snow folder

When I do a clean install of Splunk and setup ServiceNow it works
1. Uninstall Splunk
2. Install Splunk
3. Setup ServiceNow app and TA with our custom configurations
4. Data comes in fine and dashboards work

Versions Tested
Splunk Add-on for ServiceNow - 2.9 & 2.8
Splunk App for ServiceNow - 4.0.1 & 4.0.0
Splunk Enterprise 6.4.2 running on Windows Server 2012 R2
ServiceNow Geneva Release

I must be missing something simple but I can’t seem to find it.

MuS
Legend

Hi kent_farries,

modular inputs create or use a checkpoint to make sure they don't indexer events twice, therefore you have to use splunk clean inputdata YourModularInputNameHere to remove those checkpoints as well.
See the docs for more details on clean inputdata http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands and see the docs here http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsCheckpoint about the modular input checkpoints.

Hope this helps ...

cheers, MuS

jkat54
SplunkTrust
SplunkTrust

Same user? Same permissions? Have you compared configs from before and after?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...