Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ServiceNow - Clean Index and Download Data Again - Missing tables

kent_farries
Path Finder
‎08-05-2016 07:59 AM

I am stumped and not able to find a good solution. I would like to clean our index and download data again from ServiceNow. I don't care about any history that Splunk would have collected over the last year and need to start fresh for the ServiceNow application only.

Problem
Our production instance is not showing the correct data anymore.

Solution
We would like to reset our indexes and bring in the fresh/clean data

Issue
We are not able to fully clean our ServiceNow app and indexes. Only some of the data comes in after we do this on our test systems and the tables that are not default do not come in. One example is the task table.

What we know
When we do these steps we do not get all of the tables
1. Cleaning the Snow index. splunk.exe clean eventdata -index snow
2. Deleted the modinput\snow folder

When I do a clean install of Splunk and setup ServiceNow it works
1. Uninstall Splunk
2. Install Splunk
3. Setup ServiceNow app and TA with our custom configurations
4. Data comes in fine and dashboards work

Versions Tested
Splunk Add-on for ServiceNow - 2.9 & 2.8
Splunk App for ServiceNow - 4.0.1 & 4.0.0
Splunk Enterprise 6.4.2 running on Windows Server 2012 R2
ServiceNow Geneva Release

I must be missing something simple but I can’t seem to find it.

Reply

MuS
SplunkTrust
SplunkTrust
‎08-07-2016 07:44 PM

Hi kent_farries,

modular inputs create or use a checkpoint to make sure they don't indexer events twice, therefore you have to use splunk clean inputdata YourModularInputNameHere to remove those checkpoints as well.
See the docs for more details on clean inputdata http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands and see the docs here http://docs.splunk.com/Documentation/Splunk/6.4.2/AdvancedDev/ModInputsCheckpoint about the modular input checkpoints.

Hope this helps ...

cheers, MuS

Reply

jkat54
SplunkTrust
SplunkTrust
‎08-07-2016 07:33 PM

Same user? Same permissions? Have you compared configs from before and after?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...