Dropped events with Splunk Add-on for ServiceNow

paulbannister · ‎11-12-2020

Hi All,

We have recently updated our "Splunk Add-on for ServiceNow" to the latest available (6.2.0) from a 4.# release on our Cloud IDM and have been experiencing dropped events ever since.

Particularly with our high traffic tables (sc_tasks, incident) which are frequently updated, we've noticed that the TA will pick up the initial entry for these when created in SNOW but will miss any subsequent updates (i.e. ticket will get closed in SNOW but this will not get reflected/updated in the data in Splunk), there was no issue before so we may need to downgrade the TA if necessary

We currently have cases open with both ServiceNow and Splunk but was wondering if anyone else had experienced similar?

Our instance is all cloud (Splunk Cloud, ServiceNow) and as I said was functioning before the update, which was done as part of 8.1 readiness

paulbannister · ‎01-18-2021

Just as an FYI for anyone with the same issue, the latest version of the TA has been released and contains the fix for the issue.

paulbannister · ‎11-24-2020

Just as an FYI for anyone with the same issue, this has now been logged as a bug and the developers are currently working on a fix\workaround:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes

2020-11-03

ADDON-30681

Splunk Add-on for ServiceNow is not ingesting updated records intermittently.

Dropped events with Splunk Add-on for ServiceNow

other

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI