How to integrate Splunk with servicenow without du...

abhishekroy168 · ‎04-24-2018

Hi all,
I have integrated splunk with servicenow to get all tables from servicenow.
Recently I observed that whenever I am updating a table in servicenow i get 2 copies of it in Splunk .
I mean whenever there is an update for a table in servicenow for N number of times I am getting N numbers of a table in Splunk even though there is only 1 table in servicenow.
Please do help if any of you have any leads regarding this:)

jslay_splunk · ‎04-26-2018

This is expected behavior. You get a copy of every "state" of the record in splunk. You should just look at the latest record to get the most updated information. You can do this with |dedup sys_id

abhishekroy168 · ‎04-26-2018

thanks @jslay for the answer.
I have done the same thing using distinct_count.
But I need something OOTB which can do it during the process of data plucking from servicenow.
Because using dedup for every query will make it fuzzy:)

How to integrate Splunk with servicenow without duplicate table records?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation