Re: How can I onboard SNOW RITM variables data to ...

epari1437 · ‎06-17-2021

Requirement is to onboard SNOW RITM variables data to Splunk. Using table name SC_REQ_ITEM and SC_TASK, I can able to fetch data except variables.

Can anyone suggest how can I fetch data for variables which are linked to the catalog item/task.

My event would be :

You are requesting for: value

your name: value

select system: laptop

ismedley · ‎06-17-2021

Splunk's add-on for ServiceNow would do this for you - you'd need to manually edit its inputs.conf to create an ingestion for the sc_req_item table as that one isn't included out the box.

Failing that, the add-on creates a query of the format

https://<????>.service-now.com/api/now/table/sc_req_item?sysparm_display_value=all&sysparm_offset=0&...timestamp>^sys_updated_on%3C<later_timestamp>^ORDERBYsys_updated_on,sys_id

which will resolve the lookup fields for the record. The sysparm_fields parameter can be used to restrict the fields returned

How can I onboard SNOW RITM variables data to splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation