Configure inputs for the Splunk Add-on for ServiceNow

After you set up the Splunk Add-on for ServiceNow, configure your inputs to collect data. Configure inputs on your data collection node, usually a heavy forwarder.

1. In the Splunk Add-on for ServiceNow, click the Inputs tab.
2. Click Create New Input.
3. In the Add Inputs box, complete the following fields:

   Field	Description	Expected value
   Input Name	Enter a unique name for the input.	Input Name must begin with a letter and consist exclusively of alphanumeric characters and underscores. Maximum length allowed is 150 characters.
   Account	Enter your ServiceNow account name.
   Collection interval	The data collection interval, in seconds.	Collection interval must be a non-zero integer.
   Table to collect data from	Select a ServiceNow table from the list or enter a new custom table in the search box.
   Included properties	Enter comma-separated fields from the database table to include. You can either include or exclude properties for an input but not both.	Field(s) in the Included properties can contain characters in range of a to z (case sensitive), ., $ and digits.
   Excluded properties	Enter comma-separated fields from the database table to exclude.	Field(s) in the Excluded properties can contain characters in range of a to z (case sensitive), ., $ and digits.
   Time field of the table	The time field to use for checkpoint creation. The default is sys_updated_on.
   Use existing data input?	This field only displays if the add-on finds an existing checkpoint for the given input name. If "Yes" is selected, the add-on collects from that checkpoint. If "No" is selected, the add-on resets data collection and starts from either the provided start date or the default start date.
   Start date	The date that the Splunk software starts collecting data from the database table. Default is one week ago.	Start date value must be in UTC "YYYY-MM-DD hh:mm:ss" format.
   ID field	Field which uniquely identifies each row in this table. Default is 'sys_id'.
   Filter parameters	Enter filters, in key-value pairs for indexing selected data from the table. All the operators mentioned in the ServiceNow documentation are allowed. For example, name=Application1^company=MyCompany name=Application1^companySTARTSWITHMyCompany^ORcompany=SomeOtherCompany short_descriptionLIKESAP^ORcaller_idENDSWITHliffe. By default, there is no filter. The Logical OR operation ("^OR") will be sequentially performed before the Logical AND operation ("^"). If you are upgrading from add-on version 7.1.1 or earlier, then the old way of mentioning Logical AND ("&") and the Logical OR ("|") in the filter parameter will automatically be migrated as per the ServiceNow syntax.
   Index	The index that stores the events collected from this input. The default index is main.	Index names must begin with a letter or a number and can only contain letters, numbers, underscores, or hyphens. The maximum length allowed is 80 characters.

4. Click Save.

Table Name and Time Field Mapping

To set up the Splunk Add-on for ServiceNow, you must set the time field for each table name. The add-on creates a checkpoint based on time field every time the REST API is called to collect data. This ensures that data collection resumes from the timestamp last recorded. You can set the Time field of the table parameter on the Inputs page, or modify the timefield parameter of specific stanzas in your local inputs.conf file. See the following table for some of the common table and time field correspondences: