Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for ServiceNow:about the table "sys_audit_delete"

kanahayashi
Explorer
‎03-11-2020 12:07 AM

Hello.
Please help me....
I failed to get the table "sys_audit_delete" via Splunk Add-on for ServiceNow.
I succeeded in getting "sysevent"and"sys_update_xml".

I found the following error in "splunk_ta_snow_main.log"
What kind of error is this? (SSLError: ('The read operation timed out',))
What should I do ?

===================================================================================================================================
2020-03-10 12:03:18,680 ERROR pid=2056 tid=Thread-23 file=snow_data_loader.py:do_collect:177 | Failure occurred while connecting to https://●●●●●●.service-now.com/api/now/table/sys_audit_delete?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-02-25+00:00:00^ORDERBYsys_updated_on. The reason for failure=Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 169, in _do_collect
"Authorization": "Basic %s" % credentials
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 2135, in request
cachekey,
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 1796, in _request
conn, request_uri, method, body, headers
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init_.py", line 1737, in _conn_request
response = conn.getresponse()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1121, in getresponse
response.begin()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 438, in begin
version, status, reason = self._read_status()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 394, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "C:\Program Files\Splunk\Python-2.7\Lib\socket.py", line 480, in readline
data = self._sock.recv(self._rbufsize)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 772, in recv
return self.read(buflen)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 659, in read
v = self._sslobj.read(len)
SSLError: ('The read operation timed out',)
.

Reply

kdroddy
Explorer
‎03-17-2020 06:09 PM

Hi,

Are you successfully grabbing data from your other inputs (sysevent & sys_update_xml) using the same 'snow_account'?

0 Karma
Reply

kanahayashi
Explorer
‎03-17-2020 07:23 PM

Hello.
Yes,I was able to get two tables.
I guess I found out why it failed.
It seems to be a problem with the timefield(sys_updated_on).
The data in sys_audit_delete on SNOW are indexed by creation date.
So,serch timed out.
I will rewrite timefield = sys_created_on and try.

0 Karma
Reply

kdroddy
Explorer
‎03-24-2020 12:07 PM

How did your test go?

0 Karma
Reply

kanahayashi
Explorer
‎03-25-2020 11:50 PM

Hello,
today,I succeeded in the test.
Just as expected, I was misunderstanding about timefield.

0 Karma
Reply

xavierashe
Contributor
‎03-11-2020 08:56 PM

I am guessing it's a permissions issue. I looked over the last 90 days and I am getting an occasional SSLError: ('_ssl.c:725: The handshake operation timed out',) but not SSLError: ('The read operation timed out',)

0 Karma
Reply

kanahayashi
Explorer
‎03-11-2020 10:27 PM

Thank you for your answer.
I thought it was a permission issue, but the snow ID for Splunk is a privileged ID.(”admin” ”security admin”)
If there is anything else, please give me a professor.

0 Karma
Reply

kanahayashi
Explorer
‎03-11-2020 08:15 PM

By the way, inputs.conf is the following content.

[snow]
index = ●●●
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id

[snow://sys_audit_delete]
disabled = false
timefield =  sys_updated_on
table = sys_audit_delete
duration = 120
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00

[snow://sys_update_xml]
disabled = false
timefield = sys_created_on
table = sys_update_xml
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00
0 Karma
Reply

xavierashe
Contributor
‎03-12-2020 05:56 AM

Hmm... my inputs.conf is much more basic

[snow://sys_audit]
disabled = 0
index = snow

[snow://sys_audit_delete]
disabled = 0
index = snow

[snow://sys_choice]
disabled = 0
index = snow

[snow://sys_user]
disabled = 0
index = snow

[snow://sys_user_group]
disabled = 0
index = snow

[snow://sysevent]
disabled = 0
index = snow
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...