Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Service now Add on in Splunk is not extracting all the fields?

srisahitya_v
Communicator
‎09-03-2019 02:58 AM

Hello All,

I'm using Service now add-on for Splunk and installed on Heavy forwarder. Through setup page in add-on I have added few tables data into Splunk.

But the add-on not properly extracted the field values and few metrics tables also not visible in Splunk index.

add-on version 4.0.0, Splunk version 7.2.1.

can some one help me with what might causing this problem.

Labels (1)
Labels
0 Karma
Reply

desoto-chan
Explorer
‎04-12-2022 06:53 AM

I guess you did not use any tool to make the connection? We have an upcoming project that includes the integration of those two systems. But we'll be using a custom tool (it's called zigiops) so that everything will be handled and done in no time.

0 Karma
Reply

sylim_splunk
Splunk Employee
Splunk Employee
‎01-09-2020 11:21 AM

The events from SNOW appear to be very large and if you couldn't reduce the size of the events any more, you may want to check the length of raw events. Just in case the missing fields happens mostly from events larger than 10000 and which - those missing fields - appear more than 10k bytes into the events. Then try to tune maxchars under kv.

  • Use len function to get length
    "your base search for SNOW data" | eval length = len(_raw)

  • Tune maxchars
    In limits.conf
    [kv]
    maxchars = 10240 to be tuned according to raw event length if it happens to the events larger than 10240.

0 Karma
Reply

KARANMALHOTRA
Path Finder
‎09-03-2019 04:34 AM

I had a similar problem where the Service Now add-on was not extracting the fields when I was looking at the events in Search.

The reason I found was that a limit is applied on Field Extractions while searching. By default, after 10000 characters (if i remember the value correctly), Splunk will stop identifying new fields.

In case your issue is the same, you have 2 options:

  1. Increase the limit from 10000 to something much larger (not recommended in most cases)
  2. Update the inputs for tables that you have enabled in the Service Now add-on to Exclude certain fields that have long string data. e.g. Comments & Work Notes for Incidents.

I used the 2nd approach and was able to get the extraction to work properly.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...