Hi All,
We have recently updated our "Splunk Add-on for ServiceNow" to the latest available (6.2.0) from a 4.# release on our Cloud IDM and have been experiencing dropped events ever since.
Particularly with our high traffic tables (sc_tasks, incident) which are frequently updated, we've noticed that the TA will pick up the initial entry for these when created in SNOW but will miss any subsequent updates (i.e. ticket will get closed in SNOW but this will not get reflected/updated in the data in Splunk), there was no issue before so we may need to downgrade the TA if necessary
We currently have cases open with both ServiceNow and Splunk but was wondering if anyone else had experienced similar?
Our instance is all cloud (Splunk Cloud, ServiceNow) and as I said was functioning before the update, which was done as part of 8.1 readiness
Just as an FYI for anyone with the same issue, the latest version of the TA has been released and contains the fix for the issue.
Just as an FYI for anyone with the same issue, this has now been logged as a bug and the developers are currently working on a fix\workaround:
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes
2020-11-03 | ADDON-30681 | Splunk Add-on for ServiceNow is not ingesting updated records intermittently. |