Splunk Search

Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

kanahayashi
Explorer

Hello.
Please help me....
I failed to get the table "sys_audit_delete" via Splunk Add-on for ServiceNow.
I succeeded in getting "sysevent"and"sys_update_xml".

I found the following error in "splunk_ta_snow_main.log"
What kind of error is this? (SSLError: ('The read operation timed out',))
What should I do ?

===================================================================================================================================
2020-03-10 12:03:18,680 ERROR pid=2056 tid=Thread-23 file=snow_data_loader.py:do_collect:177 | Failure occurred while connecting to https://●●●●●●.service-now.com/api/now/table/sys_audit_delete?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-02-25+00:00:00^ORDERBYsys_updated_on. The reason for failure=Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 169, in _do_collect
"Authorization": "Basic %s" % credentials
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init
.py", line 2135, in request
cachekey,
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init
.py", line 1796, in _request
conn, request_uri, method, body, headers
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init
_.py", line 1737, in _conn_request
response = conn.getresponse()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1121, in getresponse
response.begin()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 438, in begin
version, status, reason = self._read_status()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 394, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "C:\Program Files\Splunk\Python-2.7\Lib\socket.py", line 480, in readline
data = self._sock.recv(self._rbufsize)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 772, in recv
return self.read(buflen)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 659, in read
v = self._sslobj.read(len)
SSLError: ('The read operation timed out',)
.

kdroddy
Explorer

Hi,

Are you successfully grabbing data from your other inputs (sysevent & sys_update_xml) using the same 'snow_account'?

0 Karma

kanahayashi
Explorer

Hello.
Yes,I was able to get two tables.
I guess I found out why it failed.
It seems to be a problem with the timefield(sys_updated_on).
The data in sys_audit_delete on SNOW are indexed by creation date.
So,serch timed out.
I will rewrite timefield = sys_created_on and try.

0 Karma

kdroddy
Explorer

How did your test go?

0 Karma

kanahayashi
Explorer

Hello,
today,I succeeded in the test.
Just as expected, I was misunderstanding about timefield.

0 Karma

xavierashe
Contributor

I am guessing it's a permissions issue. I looked over the last 90 days and I am getting an occasional SSLError: ('_ssl.c:725: The handshake operation timed out',) but not SSLError: ('The read operation timed out',)

0 Karma

kanahayashi
Explorer

Thank you for your answer.
I thought it was a permission issue, but the snow ID for Splunk is a privileged ID.(”admin” ”security admin”)
If there is anything else, please give me a professor.

0 Karma

kanahayashi
Explorer

By the way, inputs.conf is the following content.

[snow]
index = ●●●
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id

[snow://sys_audit_delete]
disabled = false
timefield =  sys_updated_on
table = sys_audit_delete
duration = 120
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sys_update_xml]
disabled = false
timefield = sys_created_on
table = sys_update_xml
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00
0 Karma

xavierashe
Contributor

Hmm... my inputs.conf is much more basic

[snow://sys_audit]
disabled = 0
index = snow

[snow://sys_audit_delete]
disabled = 0
index = snow

[snow://sys_choice]
disabled = 0
index = snow

[snow://sys_user]
disabled = 0
index = snow

[snow://sys_user_group]
disabled = 0
index = snow

[snow://sysevent]
disabled = 0
index = snow
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...