Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

ServiceNow - Clean Index and Download Data Again - Missing tables

kent_farries
Path Finder
‎08-05-2016 07:59 AM

I am stumped and not able to find a good solution. I would like to clean our index and download data again from ServiceNow. I don't care about any history that Splunk would have collected over the last year and need to start fresh for the ServiceNow application only.

Problem
Our production instance is not showing the correct data anymore.

Solution
We would like to reset our indexes and bring in the fresh/clean data

Issue
We are not able to fully clean our ServiceNow app and indexes. Only some of the data comes in after we do this on our test systems and the tables that are not default do not come in. One example is the task table.

What we know
When we do these steps we do not get all of the tables
1. Cleaning the Snow index. splunk.exe clean eventdata -index snow
2. Deleted the modinput\snow folder

When I do a clean install of Splunk and setup ServiceNow it works
1. Uninstall Splunk
2. Install Splunk
3. Setup ServiceNow app and TA with our custom configurations
4. Data comes in fine and dashboards work

Versions Tested
Splunk Add-on for ServiceNow - 2.9 & 2.8
Splunk App for ServiceNow - 4.0.1 & 4.0.0
Splunk Enterprise 6.4.2 running on Windows Server 2012 R2
ServiceNow Geneva Release

I must be missing something simple but I can’t seem to find it.

Reply

MuS
SplunkTrust
SplunkTrust
‎08-07-2016 07:44 PM

Hi kent_farries,

modular inputs create or use a checkpoint to make sure they don't indexer events twice, therefore you have to use splunk clean inputdata YourModularInputNameHere to remove those checkpoints as well.
See the docs for more details on clean inputdata http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands and see the docs here http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsCheckpoint about the modular input checkpoints.

Hope this helps ...

cheers, MuS

Reply

jkat54
SplunkTrust
SplunkTrust
‎08-07-2016 07:33 PM

Same user? Same permissions? Have you compared configs from before and after?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...