Solved: Splunk Add-on for ServiceNow: Splunk is not pullin...

srikanth1213 · ‎09-09-2016

Hi Splunksters,

We have this issue in our environment where Splunk is pulling correct Incident Data from ServiceNow, however it is unable to pull the Change ticket data from ServiceNow. It has stopped pulling data since 25 Aug 2016 when there was an issue from ServiceNow; that issue was fixed on 30 Aug 2016.

When I looked into ta_snow.log the only query it is trying to pull is below. I did try to refresh the connection between Splunk and ServiceNow but no luck. Is there something I am missing here? Kindly let me know.

2016-09-09 14:55:15,226 INFO 9200 - end https://itsm.dtcc.com/change_request.do?JSONv2&sysparm_query=sys_updated_on>=2017-03-09+15:17:49^ORD...

Regards
Srikanth.D

srikanth1213 · ‎09-23-2016

Jus thought of posting the fix.
To fix the issue we had to edit "change_request.sys_updated_on" in the location "E:\Program Files\Splunk\var\lib\splunk\modinputs"and change the date to the one from which we were missing the Change date i.e from 08/25/2016, as it was holding the future date i.e 2017-09-03, files were not getting indexed.
The issue was caused when SNOW team had installed a plugin that generated bogus Change tickets with future time stamps.

View solution in original post

srikanth1213 · ‎09-23-2016

Jus thought of posting the fix.
To fix the issue we had to edit "change_request.sys_updated_on" in the location "E:\Program Files\Splunk\var\lib\splunk\modinputs"and change the date to the one from which we were missing the Change date i.e from 08/25/2016, as it was holding the future date i.e 2017-09-03, files were not getting indexed.
The issue was caused when SNOW team had installed a plugin that generated bogus Change tickets with future time stamps.

Splunk Add-on for ServiceNow: Splunk is not pulling Change Management data from ServiceNow

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life