Re: Dropped events with Splunk Add-on for ServiceN...

paulbannister · ‎11-12-2020

Hi All,

We have recently updated our "Splunk Add-on for ServiceNow" to the latest available (6.2.0) from a 4.# release on our Cloud IDM and have been experiencing dropped events ever since.

Particularly with our high traffic tables (sc_tasks, incident) which are frequently updated, we've noticed that the TA will pick up the initial entry for these when created in SNOW but will miss any subsequent updates (i.e. ticket will get closed in SNOW but this will not get reflected/updated in the data in Splunk), there was no issue before so we may need to downgrade the TA if necessary

We currently have cases open with both ServiceNow and Splunk but was wondering if anyone else had experienced similar?

Our instance is all cloud (Splunk Cloud, ServiceNow) and as I said was functioning before the update, which was done as part of 8.1 readiness

paulbannister · ‎01-18-2021

Just as an FYI for anyone with the same issue, the latest version of the TA has been released and contains the fix for the issue.

paulbannister · ‎11-24-2020

Just as an FYI for anyone with the same issue, this has now been logged as a bug and the developers are currently working on a fix\workaround:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes

2020-11-03

ADDON-30681

Splunk Add-on for ServiceNow is not ingesting updated records intermittently.

Dropped events with Splunk Add-on for ServiceNow

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation