- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Add-on for ServiceNow:about the table "...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for ServiceNow:about the table "sys_audit_delete"
Hello.
Please help me....
I failed to get the table "sys_audit_delete" via Splunk Add-on for ServiceNow.
I succeeded in getting "sysevent"and"sys_update_xml".
I found the following error in "splunk_ta_snow_main.log"
What kind of error is this? (SSLError: ('The read operation timed out',))
What should I do ?
===================================================================================================================================
2020-03-10 12:03:18,680 ERROR pid=2056 tid=Thread-23 file=snow_data_loader.py:do_collect:177 | Failure occurred while connecting to https://●●●●●●.service-now.com/api/now/table/sys_audit_delete?sysparm_display_value=all&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2020-02-25+00:00:00^ORDERBYsys_updated_on. The reason for failure=Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\snow_data_loader.py", line 169, in _do_collect
"Authorization": "Basic %s" % credentials
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 2135, in request
cachekey,
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init.py", line 1796, in _request
conn, request_uri, method, body, headers
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_snow\bin\Splunk_TA_snow\httplib2_helper\httplib2_py2\httplib2__init_.py", line 1737, in _conn_request
response = conn.getresponse()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1121, in getresponse
response.begin()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 438, in begin
version, status, reason = self._read_status()
File "C:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 394, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File "C:\Program Files\Splunk\Python-2.7\Lib\socket.py", line 480, in readline
data = self._sock.recv(self._rbufsize)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 772, in recv
return self.read(buflen)
File "C:\Program Files\Splunk\Python-2.7\Lib\ssl.py", line 659, in read
v = self._sslobj.read(len)
SSLError: ('The read operation timed out',)
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Are you successfully grabbing data from your other inputs (sysevent & sys_update_xml) using the same 'snow_account'?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Yes,I was able to get two tables.
I guess I found out why it failed.
It seems to be a problem with the timefield(sys_updated_on).
The data in sys_audit_delete on SNOW are indexed by creation date.
So,serch timed out.
I will rewrite timefield = sys_created_on and try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did your test go?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
today,I succeeded in the test.
Just as expected, I was misunderstanding about timefield.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am guessing it's a permissions issue. I looked over the last 90 days and I am getting an occasional SSLError: ('_ssl.c:725: The handshake operation timed out',) but not SSLError: ('The read operation timed out',)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer.
I thought it was a permission issue, but the snow ID for Splunk is a privileged ID.(”admin” ”security admin”)
If there is anything else, please give me a professor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, inputs.conf is the following content.
[snow]
index = ●●●
timefield = sys_updated_on
disabled = false
interval = 60
start_by_shell = false
id_field = sys_id
[snow://sys_audit_delete]
disabled = false
timefield = sys_updated_on
table = sys_audit_delete
duration = 120
account = snow_account
since_when = 2020-02-25 00:00:00
[snow://sysevent]
disabled = false
timefield = sys_created_on
table = sysevent
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00
[snow://sys_update_xml]
disabled = false
timefield = sys_created_on
table = sys_update_xml
duration = 60
account = snow_account
since_when = 2020-02-25 00:00:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm... my inputs.conf is much more basic
[snow://sys_audit]
disabled = 0
index = snow
[snow://sys_audit_delete]
disabled = 0
index = snow
[snow://sys_choice]
disabled = 0
index = snow
[snow://sys_user]
disabled = 0
index = snow
[snow://sys_user_group]
disabled = 0
index = snow
[snow://sysevent]
disabled = 0
index = snow
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
