Re: ServiceNow - sys_user_group input is not pulli...

brdr · ‎07-21-2020

Hi,

I have this input setup in Splunk_TA_snow in the local folder. When I first configured this input it went successfully in the test index below. I got the records from the associated servicenow table.

Now, when i change to prod index and restart splunk the TA writes this to the log for sys_user_group:

2020-07-21 14:00:48,988 INFO pid=14877 tid=Thread-1 file=snow_data_loader.py:_do_collect:151 | start https://serviceflo.servicenowservices.com/api/now/table/sys_user_group?sysparm_display_value=all&sys...2020-07-20+15:13:56^ORDERBYsys_updated_on

I'm not getting any records which is ok, but is looking for any record in the ServiceNow greater than 2020-07-20. I need to back populate this table into prod index but the TA does NOT go back to the since_when time below. Any ideas to get this data?

Inputs.conf

[snow://sys_user_group]
since_when = 2000-01-01 00:00:00
disabled = 0
duration = 300
id_field = sys_id
index = servicenow_test
timefield = sys_updated_on

Thx,

brdr

kdroddy · ‎07-25-2020

Since you already have that data in Splunk, have you considered copying over the buckets from the test index to the production index?

I believe the ServiceNow TA tracks the last update from a given table to avoid duplicates. That is why when you change the index it just continues from the most recent update from that table.

ServiceNow - sys_user_group input is not pulling from the servicenow table sys_user_group

configuration

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...