Getting Data In

How can I retrieve ServiceNow field values with . (period) in the name through Splunk's Add-on for ServiceNow?

andrew_f_trobec
Explorer

Hello!

I am using the Splunk Add-on for ServiceNow to retrieve data from standard ServiceNow tables, in particular the "sc_req_item" table for service requests.  The form has a custom field that I need to extract and it has an internal id of "variables.4d1b6d291b2fd4d025d5eb186e4bcb19".

When calling the ServiceNow REST API with Postman I can retrieve the field without issue:

screenshot.png

When trying to retrieve the same field using the Splunk Add-on for ServiceNow I get the message:

"Values should begin with a letter or '$', and can include '_' and numbers, but got the value: variables.4d1b6d291b2fd4d025d5eb186e4bcb19"

log.png

I can sync all the fields I need through the connector with the exception of the custom which has a . (period) in the name.  I have tried using quotes and replacing . (period) with _ (underscore) but I cannot get the field synced.  Here is the input configuration for reference:

form.png

Is what I am trying to do possible with the Splunk Add-on for ServiceNow?

Thanks!

Andrew

Labels (1)
0 Karma
1 Solution

abhishek_solank
Engager

In the special_character_validation function in the snow.py file, there is a regex that only allows $ and _ as special characters. Modify the regex to allow a dot / period as well. Use regex101.com to test your regex.

I was afraid it might break something else but I can confirm it works just fine. I was even able to dot-walk two fields (e.g. caller_id.location.country). The Splunk adapter version that I checked this was 7.1. The Splunk Enterprise version was 8.0.6 and the ServiceNow version was Paris.

View solution in original post

andrew_f_trobec
Explorer

@abhishek_solank Amazing, thank you so much, this solved the issue!  The custom field is now syncing:

screenshot.png

Not sure if I updated the regex correctly, but it now looks like this (I added the two periods (.)):

"^(u_|[a-z$.])([_]?[a-z$.\d]+)*$"

Since it works I'm not gonna go searching for trouble 🙂

Best regards,

Andrew

0 Karma

abhishek_solank
Engager

In the special_character_validation function in the snow.py file, there is a regex that only allows $ and _ as special characters. Modify the regex to allow a dot / period as well. Use regex101.com to test your regex.

I was afraid it might break something else but I can confirm it works just fine. I was even able to dot-walk two fields (e.g. caller_id.location.country). The Splunk adapter version that I checked this was 7.1. The Splunk Enterprise version was 8.0.6 and the ServiceNow version was Paris.

Get Updates on the Splunk Community!

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...