I brought up the Splunk App for ServiceNow on Friday in a teset app, let it chug away over the weekend to get the data extracted from Service Now over the weekend.
Went to run the the reports, and all incidents are showing up as "Open". Dug into it, and our Service Now instance keeps all incidents with incident_state=1; as the tickets are worked, there is a different field "state" that is changing.
Is this something specific to our Service Now implementation, or has someone else seen this?
I have seen some snow implementations use state field and others use state_incident. We might need to change the default to be using state field to represent the status of the incident instead - in the meantime you can fix the behavior in your environment by applying the lookup to the state field (do it under local/ props.conf)
LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name
The fix is a lot more pervasive than that; there are also queries in the dashboards that need fixing. Right now I'm trying to determine if this is something our ServiceNow folks have done to us, and if anyone else has seen the problem.