Hi All, We have recently ingested the service-now data in to splunk using the splunk service now app. Its working fine, but we have configured an alert to trigger with the following eventtype.
eventtype=snow_ta_collector_error OR eventtype=snow_ta_log_error
Based on the above alert we are getting some error related to the eventtype=snow_ta_log_error quiet frequently and below is the event information.
2017-12-14 11:03:25,118 ERROR pid=31376 tid=Thread-10 file=snow_data_loader.py:do_collect:169 | Failed to connect https://xxxx.service-now.com/api/now/table/cmdb_ci_infra_service?sysparm_display_value=false&sysparm..., reason=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 161, in _do_collect "Authorization": "Basic %s" % credentials File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1257, in _conn_request conn.connect() File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init_.py", line 1060, in connect raise socket.error, msg error: [Errno 111] Connection refused
Kindly guide me in how to start investigating this issue.
thanks in advance.
Hi @Hemnaath,
can you please check your credential or permission which you have used?
To validate that you do not have a permissions issue:
Edit the following URL to use your ServiceNow instance name:
https://<myservicenowinstance>.service-now.com/<service_now_table>.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 <myservicenowinstance>.service-now.com
Thanks
kamlesh
Hi Kamlesh, thanks for your effort on this, Hey I am very new to this app and integration with service now was done by splunk SME at onsite, so please guide me on the below questions.
1) What user id and password do we need to use to login in to the below URL, I mean do we need to use splunk user id used for integration of service now or our regular service now username and password to check for the incidents, problems etc .
2) Why do we need to use this URL, is that anything related to the Error message ?
3) Where I can get the Servicenow table that are used in splunk to ingest data, will this be available in /opt/splunk/etc/apps/Splunk_ta_snow/local/inputs.conf
4) I am not sure about the username and password that was used for splunk integration with service-now.
I checked /opt/splunk/etc/apps/Splunk_ta_snow/local/passowrd.conf but its encrypted.
Sorry for asking these questions but based on the inputs, I will be making the first step in this issue.
thanks in advance
Hi All, Can you guide me on this please, I am not sure how to investigate this issue.
thanks in advance.
Hi All, Can any one guide me on this please, I am not sure how to investigate/troubleshoot this issue.
thanks in advance.