We are trying to run bidirectional ticketing (ServiceNow) and are experiencing some issues. ITSI v4.3.3, datamodel are working just find far as I know. The correlation search uses snow_hash.csv as input and ouput. But the file are missing, anyone with a quickfix? Should I just manually create it? Anyone know when it is created? Error message from job output when running the correlation search manually:
[subsearch]: File '/opt/splunk/var/run/splunk/csv/snow_hash.csv' could not be opened for reading.
Hi taskar - I'm seeing similar behavior in my environment. Running the incident modular input locally on 1 search head in my SHC running ITSI instead of running it from my heavy forwarder is how i've got it working currently. I'm 7.3.3 on-prem RHEL7 instances with ITSI 4.4.3 and 6.0.0 snow_ta installed to HF, indexer cluster & search head cluster. I'm curious if you're same version of TA & where props that seem to be good OOTB needed a tweak if you're collecting data from heavy forwarder since that's where it should be running and won't work for me. Really cool to update SNow ticket and get ITSI episode updated but not sure it's so cool to have to run it this way to make it work. Any help you could provide would be greatly appreciated. Thanks