Getting the following error message in the splunk_...

Hemnaath · ‎12-14-2017

Hi All, We have recently ingested the service-now data in to splunk using the splunk service now app. Its working fine, but we have configured an alert to trigger with the following eventtype.

 eventtype=snow_ta_collector_error OR eventtype=snow_ta_log_error

Based on the above alert we are getting some error related to the eventtype=snow_ta_log_error quiet frequently and below is the event information.

2017-12-14 11:03:25,118 ERROR pid=31376 tid=Thread-10 file=snow_data_loader.py:do_collect:169 | Failed to connect https://xxxx.service-now.com/api/now/table/cmdb_ci_infra_service?sysparm_display_value=false&sysparm..., reason=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 161, in _do_collect "Authorization": "Basic %s" % credentials File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init.py", line 1257, in _conn_request conn.connect() File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init_.py", line 1060, in connect raise socket.error, msg error: [Errno 111] Connection refused

Kindly guide me in how to start investigating this issue.

thanks in advance.

kamlesh_vaghela · ‎12-15-2017

Hi @Hemnaath,

can you please check your credential or permission which you have used?

To validate that you do not have a permissions issue:

Edit the following URL to use your ServiceNow instance name:

https://<myservicenowinstance>.service-now.com/<service_now_table>.do?JSONv2&sysparm_query=sys_created_on>=2016-01-01+00:00:00^ORDERBYsys_created_on&sysparm_record_count=50 <myservicenowinstance>.service-now.com

Change service_now_table to the ServiceNow table you are trying to query
Change 2016-01-01 to the actual date you want to query from.
Paste the URL into a browser.
When prompted, log in with the same username and password that you use for the integration account in the add-on.

Thanks
kamlesh

Hemnaath · ‎12-15-2017

Hi Kamlesh, thanks for your effort on this, Hey I am very new to this app and integration with service now was done by splunk SME at onsite, so please guide me on the below questions.

1) What user id and password do we need to use to login in to the below URL, I mean do we need to use splunk user id used for integration of service now or our regular service now username and password to check for the incidents, problems etc .

2) Why do we need to use this URL, is that anything related to the Error message ?

3) Where I can get the Servicenow table that are used in splunk to ingest data, will this be available in /opt/splunk/etc/apps/Splunk_ta_snow/local/inputs.conf

4) I am not sure about the username and password that was used for splunk integration with service-now.
I checked /opt/splunk/etc/apps/Splunk_ta_snow/local/passowrd.conf but its encrypted.

Sorry for asking these questions but based on the inputs, I will be making the first step in this issue.

thanks in advance

Hemnaath · ‎12-14-2017

Hi All, Can you guide me on this please, I am not sure how to investigate this issue.

thanks in advance.

Hemnaath · ‎12-15-2017

Hi All, Can any one guide me on this please, I am not sure how to investigate/troubleshoot this issue.

thanks in advance.

Getting the following error message in the splunk_ta_snow_main.log? Service now

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms