ServiceNow Add-on 'sys_updated_on' field error

oangarita · ‎06-30-2020

Hi,

Splunk server: 7.3.5

snow_ta version: 6.0.0

I'm trying to collect data from the snow cmdb input with the ta, but the present error is showed:

'sys_updated_on' field is not found in the data collected for 'cmdb_ci_productive' input

These are the specefic events before the error:

2020-06-26 23:03:46,897 INFO pid=105839 tid=Thread-1 file=snow_data_loader.py:_do_collect:198 | Initiating request to https://xxx.service-now.com/api/now/table/cmdb_ci?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2000-01-01+00:00:00^ORDERBYsys_updated_on

2020-06-26 23:03:56,373 INFO pid=105839 tid=Thread-1 file=snow_data_loader.py:_do_collect:251 | Ending request to https://xxx.service-now.com/api/now/table/cmdb_ci?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2000-01-01+00:00:00^ORDERBYsys_updated_on

2020-06-26 23:03:56,400 ERROR pid=105839 tid=Thread-1 file=snow_data_loader.py:_write_checkpoint:360 | 'sys_updated_on' field is not found in the data collected for 'cmdb_ci_productive' input. In order to resolve the issue, provide valid value in 'Time
 field of the table' on Inputs page, or edit 'timefield' parameter for the affected input in inputs.conf file.

I tried the troubleshooting query (splunk addon documentation) vs the splunk query (show in the logs) and I can see the data (sys_updated_on field) in the web browser.

https://xxx.service-now.com/cmdb_ci.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 xxx.service-now.com

It seems like the user configured have the permission to read the data, but for some reason is not working with the TA.

Is there a known issue about it? Did I miss something?

Regards,

admindeckge · ‎09-08-2020

Hi oangarita - did you ever get this figured out?

I've encountered something weird with this same "sys_updated_on" field extraction but for me it's only at search time for the "incident" input from the 6.0.0 snow_ta version (with 7.3.3 Splunk server).

For my issue, this is not breaking timestamps that depend on sys_updated_on, but ITSI Bidirectional Ticketing alert fails to find any results for updated ServiceNow incidents in my snow index.

The sys_updated_on field isn't getting extracted at search time properly when i collect data for the "incident" input from my heavy forwarder. When i change to collect data for the "incident" input locally from 1 search head in my SHC instead of from my heavy forwarder, the field is extracted properly at search time & the ITSI Bidirectional Ticketing alert works fine. That alert uses the sys_updated_on value to calculate a new snow_hash field, and it appears that missing field extraction is breaking that OOTB eval in the query - at least in my environment that is 😞

Bidirectional Ticketing

michael_mcgrail · ‎09-24-2020

@admindeckge I had this same setup - HF collecting data + SHC bidirectional ticketing correlation search failing due to sys_updated_on field missing. To solve this, I created this as a field alias via the SHC deployer in Splunk_TA_snow/local/props.conf:

[snow:incident]
FIELDALIAS-sys_updated_on = dv_sys_updated_on AS sys_updated_on

ServiceNow Add-on 'sys_updated_on' field error

heavy forwarder

scripted input

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes