Within the inputs.conf file under the local directory of the Splunk Addon for ServiceNow, I know its possible to define CMDB tables that you want to pull into splunk.
I also know that by defining the an input with the context "filter_data = ", you can constrain the data being pulled according certain table elements/values.
I had previously set up my inputs.conf as such:
[snow://sysevent]
exclude = description
duration = 60
since_when = 2000-01-01 00:00:00
filter_data= name=login*
In an attempt to pull all events with the string "login" within the name field of the CMDB table "sysevent". Now this didn't work, but my question is if its possible to declare a wildcard catch all within the "filter_data" parameter, so that I can pull all the events I want but only those related to logins.
If not, is it possible to define multiple filter_data parameters so that I can define each event that I want by name?
I made some progress:
In the file "snow_data_loader.py" located in your apps bin fodler, you can find the function "_get_uri" starting in line 231 i changed this part:
241 if params:
242 params = ("&sysparm_exclude_reference_link=true"
243 "&sysparm_query={}").format(params)
to something like this:
242 if params:
243 if (table == "change_task") or (table == "change_request"):
244 params = ("&sysparm_exclude_reference_link=true"
245 "&sysparm_query=u_change_ownerSTARTSWITHXYZ%5EORu_change_ownerSTARTSWITHABC%5EORu_ch ange_ownerSTARTSWITHDEF%5E{}").format(params)
246 else:
247 params = ("&sysparm_exclude_reference_link=true"
248 "&sysparm_query={}").format(params)
Of course you need to change the if statement accordingly to you specification. If I understood your request correct in your case it could look like this:
242 if params:
243 if (table == "sysevent"):
244 params = ("&sysparm_exclude_reference_link=true"
245 "&sysparm_query=nameSTARTSWITHlogin%5E{}").format(params)
246 else:
247 params = ("&sysparm_exclude_reference_link=true"
248 "&sysparm_query={}").format(params)
I know that this is a highly unflexible and dirty workaround. But I needed a quick solution.
If you want a nicer one, you could at a new Input field to the Web-Interface configuration and follow the logic in the code, to add those new parameters to you URI.
I hope this helps.
Regards,
Max
Hi,
I know this question was asked some time ago. But I am facing the same problem.
The "filter_data" is accepting one or multiple key-value pairs for input.
Unfortunately you cant work with the ServiceNow operators like "STARTSWITH" or "CONTAINS".
Furthermore the filter field are added like this:
u_change_owner.name=XYZ
/change_request?u_change_owner.name=XYZ&sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2019-07-19+08:56:33^ORDERBYsys_updated_on
To work correctly as a filter (at least like i would suspect) the better position would be in the sysparm_query like this:
/change_request?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=u_change_owner.name=XYZ^sys_updated_on>=2019-07-19+08:56:33^ORDERBYsys_updated_on
I would love to see an update supporting the filter options like STARTSWITH, IS, or CONTAINS from ServiceNow.
In the mean time I am trying to hack the python script 😉
Regards,
Max