Ok so now it makes more sense. sounds like sys_updated_on is not returned by the API which could be permission. to find out more, You can run
https://.service-now.com/.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 mysinstance.service-now.com
per the troubleshooting doc
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Troubleshooting
and see if those events are returned with that field included. If not, then SNOW admins needs to investigate why.

Problem resolved . For some reason it didn't create that checkpoint file when all others were created and it fell in that black hole. Disabling and enabling of the incident data type made it work. Thanks for the guidance.

where does this checkpoint file reside under the snow add-on? disable and enable doesn't work

You are on the right track. I see these errors in log. I am thinking its related to that. I don't see a checkpoint for that incident table created. I see for other ServiceNow tables though.

2/16/17
8:23:01.310 PM  
2017-02-16 20:23:01,310 ERROR pid=18563 tid=Thread-17 file=thread_pool.py:_run:259 | Traceback (most recent call last):
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/framework/thread_pool.py", line 257, in _run
    func()
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_job_factory.py", line 38, in __call__
    sc.DEFAULT_RECORD_LIMIT))
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 142, in collect_data
    self._write_checkpoint(table, timefield, jobjs, refreshed)
  File "/app/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 278, in _write_checkpoint
    if obj[timefield] == latest_timestamp]
KeyError: u'sys_updated_on'

Hello ,

How was the issue resolved .Can you please provide the steps