Splunk's add-on for ServiceNow would do this for you - you'd need to manually edit its inputs.conf to create an ingestion for the sc_req_item table as that one isn't included out the box. Failing that, the add-on creates a query of the format  https://<????>.service-now.com/api/now/table/sc_req_item?sysparm_display_value=all&sysparm_offset=0&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on%3E=<earlier_timestamp>^sys_updated_on%3C<later_timestamp>^ORDERBYsys_updated_on,sys_id which will resolve the lookup fields for the record.  The sysparm_fields parameter can be used to restrict the fields returned   ... View more