Hi @dionrivera
Modify the data input configuration within the Splunk Add-on for ServiceNow to apply filters to the CMDB data collection. Instead of querying the entire table, specify criteria to retrieve only the necessary subset of records. If you need to, create multiple inputs each with their own filtering criteria.
Use ServiceNow's encoded query syntax within the "Filter parameters" field of the CMDB input configuration in the Splunk Add-on. For example, to pull only active Linux servers:
sys_class_name=cmdb_ci_linux_server^operational_status=1
Querying a very large table (10 million+ records) without filters often leads to performance degradation and timeouts in ServiceNow. By applying specific filters in the Splunk add-on's input configuration, you significantly reduce the amount of data ServiceNow needs to process and return, thereby avoiding long-running SQL queries and associated errors.
- Work with your ServiceNow administrator to identify the most efficient filters and ensure appropriate database indexes exist on the ServiceNow side for the fields used in your filter (e.g., sys_class_name, operational_status, sys_updated_on).
- Test your encoded query directly within ServiceNow's table list view first to validate its correctness and performance before configuring it in the Splunk add-on.
- Consider incremental fetching by filtering on sys_updated_on to only pull records that have changed since the last poll, rather than repeatedly pulling static data.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
