Splunk Search
Highlighted

Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

Hello.
Please help me....
I failed to get the table "sysauditdelete" via Splunk Add-on for ServiceNow.
I succeeded in getting "sysevent"and"sysupdatexml".

I found the following error in "splunktasnow_main.log"
What kind of error is this? (SSLError: ('The read operation timed out',))
What should I do ?

===================================================================================================================================
2020-03-10 12:03:18,680 ERROR pid=2056 tid=Thread-23 file=snowdataloader.py:docollect:177 | Failure occurred while connecting to https://●●●●●●.service-now.com/api/now/table/sysauditdelete?sysparmdisplayvalue=all&sysparmlimit=1000&sysparmexcludereferencelink=true&sysparmquery=sysupdatedon>=2020-02-25+00:00:00^ORDERBYsysupdatedon. The reason for failure=Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk
TAsnow\bin\snowdataloader.py", line 169, in _docollect
"Authorization": "Basic %s" % credentials
File "C:\Program Files\Splunk\etc\apps\SplunkTAsnow\bin\SplunkTAsnow\httplib2helper\httplib2py2\httplib2_init.py", line 2135, in request
cachekey,
File "C:\Program Files\Splunk\etc\apps\Splunk
TAsnow\bin\SplunkTAsnow\httplib2helper\httplib2py2\httplib2_init.py", line 1796, in request
conn, request
uri, method, body, headers
File "C:\Program Files\Splunk\etc\apps\SplunkTAsnow\bin\SplunkTAsnow\httplib2helper\httplib2py2\httplib2__init
.py", line 1737, in connrequest
response = conn.getresponse()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1121, in getresponse
response.begin()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 438, in begin
version, status, reason = self.readstatus()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 394, in readstatus
line = self.fp.readline(MAXLINE + 1)
File "C:\Program Files\Splunk\Python-2.7\Lib\socket.py", line 480, in readline
data = self.
sock.recv(self.rbufsize)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 772, in recv
return self.read(buflen)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 659, in read
v = self.
sslobj.read(len)
SSLError: ('The read operation timed out',)
.

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

By the way, inputs.conf is the following content.

[snow]
index = ●●●
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id

[snow://sys_audit_delete]
disabled = false
timefield =  sys_updated_on
table = sys_audit_delete
duration = 120
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sys_update_xml]
disabled = false
timefield = sys_created_on
table = sys_update_xml
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00
0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Contributor

Hmm... my inputs.conf is much more basic

[snow://sys_audit]
disabled = 0
index = snow

[snow://sys_audit_delete]
disabled = 0
index = snow

[snow://sys_choice]
disabled = 0
index = snow

[snow://sys_user]
disabled = 0
index = snow

[snow://sys_user_group]
disabled = 0
index = snow

[snow://sysevent]
disabled = 0
index = snow
0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Contributor

I am guessing it's a permissions issue. I looked over the last 90 days and I am getting an occasional SSLError: ('_ssl.c:725: The handshake operation timed out',) but not SSLError: ('The read operation timed out',)

0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

Thank you for your answer.
I thought it was a permission issue, but the snow ID for Splunk is a privileged ID.(”admin” ”security admin”)
If there is anything else, please give me a professor.

0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

Hi,

Are you successfully grabbing data from your other inputs (sysevent & sysupdatexml) using the same 'snow_account'?

0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

Hello.
Yes,I was able to get two tables.
I guess I found out why it failed.
It seems to be a problem with the timefield(sysupdatedon).
The data in sysauditdelete on SNOW are indexed by creation date.
So,serch timed out.
I will rewrite timefield = syscreatedon and try.

0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

How did your test go?

0 Karma
Highlighted

Re: Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

Explorer

Hello,
today,I succeeded in the test.
Just as expected, I was misunderstanding about timefield.

0 Karma