Splunk Add-on for ServiceNow 2.6.0: Why does the l...

jgoddard · ‎06-25-2015

The most recent version of this app has a change that makes it bad.

The default/props.conf contains:

[default]
MAX_TIMESTAMP_LOOKAHEAD = 1
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
REPORT-sys_id = sys_id

the [default] stanza should NOT be used in an app, as it overrides EVERYTHING that isn't specifically set somewhere else. So, for every sourcetype in my environment now, I have a "REPORT=sys_id = sys_id". And for any other sourcetype, where the MAX_TIMESTAMP_LOOKAHEAD isn't specifically set, is now getting that setting of only look 1 character forward... Not going to pick up many timestamps that way. btool reports picking up stanzas from Splunk_TA_snow for just about all of my sourcetypes.

I am reverting [default] to [snow] in my copy, which is what it was previously, and that should provide the default settings to all the snow: sourcetypes but NOT globally override other settings.

Jim

bwooden · ‎06-25-2015

That is a valid point and concern, @jgoddard. I've downloaded the latest copy of the Splunk Add-on for ServiceNow and do not see a [default] stanza within its default/props.conf. Would you be able to provide a copy of your default/app.conf to make an investigation easier?

jgoddard · ‎06-25-2015

Ok, that is what i get for not checking versions. The issue I ranted about is indeed not present in the 2.6.0 version of the TA, it does exist in 2.5.0, which is what i was seeing.

I will update mine to the current version.

Thanks for fixing, and the tip!

Splunk Add-on for ServiceNow 2.6.0: Why does the latest version of the app use the [default] stanza, overriding other sourcetypes in my environment?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!