- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Getting an error with Service NOW add-on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured the SNOW add-on per documentation.
Under manage app >Splunk Add-on for ServiceNow>setup I entered https://url_to_serviceNOW.com.
An api account was created in ServiceNOW (usr/pwd) and that was entered as well, under (manage app >Splunk Add-on for ServiceNow>setup).
I have read a number of posts already related to the error I am getting :
Encountered the following error while trying to update: Error while posting to url=/servicesNS/nobody/Splunk_TA_snow/service_now_setup/snow_account/snow_account
However, I was not understanding standing what the cause and resolution is.
Anyone able to explain if this is a Splunk issue or Service NOW issue? I followed the documentation on the SN add-on.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason, I've seen this almost every time I've gone through the SNOW TA setup pages on the Splunk side.
If you go to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local, do you see snow*.conf files with settings in them? If you do, that means the setup was actually successful on the back end despite the error message.
Also, try a search like this to see if the TA is actually doing anything:
index=_internal host=
If those logs show that it was able to get the version name from the ServiceNow instance, you'll know that it was actually successful. If not, there might be an error message in those _internal logs that points you in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I struggled with the same problem for AGES. No proxy. First of all, our SN API wasn't correctly set up. Once we got that set up, I was able to query:
https://MYCOMPANY.service-now.com/sys_journal_field.do?JSONv2&sysparm_query=sys_updated_on%3E=2000-0...
but kept getting the red ribbon giving the error messages in the SN add-on. Had Splunk specially send me v2.8 of the add-on to try, it gave me this error with https:
Encountered the following error while trying to update: Splunkd daemon is not responding: (u"Error connecting to /servicesNS/nobody/Splunk_TA_snow/apps/local/Splunk_TA_snow/setup: ('The read operation timed out',)",)
and this with http:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_TA_snow/service_now_setup/snow_proxy/snow_proxy
I also tried v3.1, which only lets you do https, with the same error. Eventually I got it working with 3.1 by doing this:
*Verified my API was queryable correctly
*Logged into Splunk with the default admin account instead of my account (even though both have the same admin roles/all permissions)
*Set up add-on v3.1, got the error
*Installed SN app
*Restarted Splunk
*Tried to set up add-on again with error message
Then I looked at my indexes and the SN indexes were there and receiving data. I'm not sure what fixed it, be it the reboot, or having the app installed as well (which shouldn't make any sense), or what. But bottom line, you're probably going to get a red error message regardless if the setup worked or not. Pretty sure even though it doesn't tell you to, you need to reboot after getting the error message, and that does the trick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason, I've seen this almost every time I've gone through the SNOW TA setup pages on the Splunk side.
If you go to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local, do you see snow*.conf files with settings in them? If you do, that means the setup was actually successful on the back end despite the error message.
Also, try a search like this to see if the TA is actually doing anything:
index=_internal host=
If those logs show that it was able to get the version name from the ServiceNow instance, you'll know that it was actually successful. If not, there might be an error message in those _internal logs that points you in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the advice.
I am actually testing the SNOW-TA on a heavy Fwdr to send the SNOW data to the indexers > main. And to make things more difficult I don't have SSH access to the box, only GUI to the Fwdr.
I will take a look at the search above and let you know.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you are correct, I have events under
index=_internal ta-snow OR ta_snow OR servicenow OR snow
but nothing under 'main'...
any other ideas?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to enable all of the data inputs under:
Data inputs » Enable ServiceNow database table inputs.
After enabling, I am getting events in main as expected.
Please convert to an answer so that I can accept.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked! It definitely is not intuitive to check if it's actually doing anything when it shows the error message regardless of whether it actually did anything 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
