Splunk server: 7.3.5
snow_ta version: 6.0.0
I'm trying to collect data from the snow cmdb input with the ta, but the present error is showed:
2020-06-26 23:03:46,897 INFO pid=105839 tid=Thread-1 file=snow_data_loader.py:_do_collect:198 | Initiating request to https://xxx.service-now.com/api/now/table/cmdb_ci?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2000-01-01+00:00:00^ORDERBYsys_updated_on 2020-06-26 23:03:56,373 INFO pid=105839 tid=Thread-1 file=snow_data_loader.py:_do_collect:251 | Ending request to https://xxx.service-now.com/api/now/table/cmdb_ci?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2000-01-01+00:00:00^ORDERBYsys_updated_on 2020-06-26 23:03:56,400 ERROR pid=105839 tid=Thread-1 file=snow_data_loader.py:_write_checkpoint:360 | 'sys_updated_on' field is not found in the data collected for 'cmdb_ci_productive' input. In order to resolve the issue, provide valid value in 'Time field of the table' on Inputs page, or edit 'timefield' parameter for the affected input in inputs.conf file.
I tried the troubleshooting query (splunk addon documentation) vs the splunk query (show in the logs) and I can see the data (sys_updated_on field) in the web browser.
It seems like the user configured have the permission to read the data, but for some reason is not working with the TA.
Is there a known issue about it? Did I miss something?
Hi oangarita - did you ever get this figured out?
I've encountered something weird with this same "sys_updated_on" field extraction but for me it's only at search time for the "incident" input from the 6.0.0 snow_ta version (with 7.3.3 Splunk server).
For my issue, this is not breaking timestamps that depend on sys_updated_on, but ITSI Bidirectional Ticketing alert fails to find any results for updated ServiceNow incidents in my snow index.
The sys_updated_on field isn't getting extracted at search time properly when i collect data for the "incident" input from my heavy forwarder. When i change to collect data for the "incident" input locally from 1 search head in my SHC instead of from my heavy forwarder, the field is extracted properly at search time & the ITSI Bidirectional Ticketing alert works fine. That alert uses the sys_updated_on value to calculate a new snow_hash field, and it appears that missing field extraction is breaking that OOTB eval in the query - at least in my environment that is 😞
@admindeckge I had this same setup - HF collecting data + SHC bidirectional ticketing correlation search failing due to sys_updated_on field missing. To solve this, I created this as a field alias via the SHC deployer in Splunk_TA_snow/local/props.conf:
FIELDALIAS-sys_updated_on = dv_sys_updated_on AS sys_updated_on