All Apps and Add-ons

Splunk App for ServiceNow: Why am I unable to see Incident data in the app?

rrthokala
New Member

I don't see Incident data in Splunk App for ServiceNow . I see ChangeTicket data though. I see no errors in /app/splunk/var/log/splunk/splunk_ta_snow_main.log either. What could be the reason?

Logs show it is going to right URL and getting the data but I don't see any data written to indexers to query.

0 Karma
1 Solution

ehaddad_splunk
Splunk Employee
Splunk Employee

could it be checkpoint? I would delete the checkpoint file from splunk/var/libt/splunk/modinput and disable/enable the input again.
index=_internal snow error should return some errors otherwise.

View solution in original post

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

could it be checkpoint? I would delete the checkpoint file from splunk/var/libt/splunk/modinput and disable/enable the input again.
index=_internal snow error should return some errors otherwise.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Ok so now it makes more sense. sounds like sys_updated_on is not returned by the API which could be permission. to find out more, You can run
https://.service-now.com/.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 mysinstance.service-now.com
per the troubleshooting doc
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
and see if those events are returned with that field included. If not, then SNOW admins needs to investigate why.

0 Karma

rrthokala
New Member

Problem resolved . For some reason it didn't create that checkpoint file when all others were created and it fell in that black hole. Disabling and enabling of the incident data type made it work. Thanks for the guidance.

0 Karma

rajesh375
Engager

where does this checkpoint file reside under the snow add-on? disable and enable doesn't work

0 Karma

rrthokala
New Member

You are on the right track. I see these errors in log. I am thinking its related to that. I don't see a checkpoint for that incident table created. I see for other ServiceNow tables though.

2/16/17
8:23:01.310 PM  
2017-02-16 20:23:01,310 ERROR pid=18563 tid=Thread-17 file=thread_pool.py:_run:259 | Traceback (most recent call last):
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/framework/thread_pool.py", line 257, in _run
    func()
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_job_factory.py", line 38, in __call__
    sc.DEFAULT_RECORD_LIMIT))
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 142, in collect_data
    self._write_checkpoint(table, timefield, jobjs, refreshed)
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 278, in _write_checkpoint
    if obj[timefield] == latest_timestamp]
KeyError: u'sys_updated_on'
0 Karma

vrmandadi
Builder

Hello ,

How was the issue resolved .Can you please provide the steps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...