Hi oangarita - did you ever get this figured out? I've encountered something weird with this same "sys_updated_on" field extraction but for me it's only at search time for the "incident" input from the 6.0.0 snow_ta version (with 7.3.3 Splunk server). For my issue, this is not breaking timestamps that depend on sys_updated_on, but ITSI Bidirectional Ticketing alert fails to find any results for updated ServiceNow incidents in my snow index. The sys_updated_on field isn't getting extracted at search time properly when i collect data for the "incident" input from my heavy forwarder. When i change to collect data for the "incident" input locally from 1 search head in my SHC instead of from my heavy forwarder, the field is extracted properly at search time & the ITSI Bidirectional Ticketing alert works fine. That alert uses the sys_updated_on value to calculate a new snow_hash field, and it appears that missing field extraction is breaking that OOTB eval in the query - at least in my environment that is 😞 Bidirectional Ticketing
... View more