I altered the Splunk Add-on for ServiceNow to put data in index=snow instead of index=main.
How do I configure Splunk App for ServiceNow to search index=snow ?
Hi Davebo,
Is your add-on and app on the same Splunk instance ? If so , then do not run set-up to configure the add-on to enable the inputs , instead setup the servicenow App to collect data directly which will enable the inputs on app and they get saved in servicenowapp/local/inputs .conf. Then change the index=main to index=snow in inputs.conf, followed by restart of splunk .
refer to this page - http://docs.splunk.com/Documentation/ServiceNow/4.0.3/Install/Setuptheapp
Why am I getting errors about a non-existent index?
index=snow_cmdb_ci_list_index
Is your Splunk setup standalone or clustered ?
if you're going to install the TA and App on the same instance then.. you just need to install the TA first , but skip the configure step. and then configure the app to pull data from ServiceNow rather.
But since you've already configured the TA with inputs and updated the inputs.conf with index=snow, then it has to be allowed to search.
servicenow TA creates some indexes as part of the installation, You should add these indexes to your main indexes.conf file with reference to Primary volume -
snow is index I created. the rest were created by the TA and would through errors, for not referencing the primary volume. So I added it to the master indexes. conf file.
example -
[snow]
homePath = volume:primary/snow/db
coldPath = volume:primary/snow/colddb
thawedPath = $SPLUNK_DB/snow/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000
[snow_sys_user_group_list_index]
homePath = volume:primary/snow_sys_user_group_list_index/db
coldPath = volume:primary/snow_sys_user_group_list_index/colddb
thawedPath = $SPLUNK_DB/snow_sys_user_group_list_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000
[snow_cmdb_ci_list_index]
homePath = volume:primary/snow_cmdb_ci_list_index/db
coldPath = volume:primary/snow_cmdb_ci_list_index/colddb
thawedPath = $SPLUNK_DB/snow_cmdb_ci_list_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000
[snow_incident_state_index]
homePath = volume:primary/snow_incident_state_index/db
coldPath = volume:primary/snow_incident_state_index/colddb
thawedPath = $SPLUNK_DB/snow_incident_state_index/thaweddb
maxTotalDataSizeMB = 750000
frozenTimePeriodInSecs = 31536000
I don't see service_now_app/local/inputs .conf after configuring. There is Splunk_TA_snow/local/inputs.conf . Is that what you mean?
If I understand this correctly. It is Splunk_TA_snow/local/inputs.conf
and it needs to be set up prior to configuring the connection via the UI:
[snow]
index = snow
since_when = 2017-01-01 00:00:00
It also appears that this index has to be set as "allowed" and "search by default" for the role that will be accessing this app as the index is not specified in a macro.
Do I need to install the TA if it is all on one host?