Troubleshoot the Splunk App for ServiceNow
Duplicate inputs for some tables
If you upgraded your Splunk Add-on for ServiceNow from a version earlier than 2.7.0, you might see the following inputs listed on the ServiceNow Data Input page.
These are duplicates with the inputs of the same name that do not have _list at the end, and are no longer functional.
If you see these inputs, follow the migration instructions in the Release notes for the Splunk Add-on for ServiceNow in the Splunk Add-on for ServiceNow manual, part of the Supported Add-ons documentation.
Find relevant errors
Search for the following event types to find errors relevant to the Splunk App for ServiceNow.
eventtype=snow_ta_log_error for all errors related to the add-on functionality.
eventtype=snow_ta_collector_error for all errors related to data collection from ServiceNow.
eventtype=snow_setup_error for all errors related to the setup configuration.
eventtype=snow_ticket_error for all errors related to creating events/incidents in ServiceNow from the Splunk platform.
If you find that you are not getting data for all of the inputs that you have enabled, verify that the ServiceNow account that you are using to connect to your ServiceNow instance from the Splunk platform has, at minimum, read-only access to all of the database tables from which you are attempting to collect data. Then, disable and enable the inputs for which you were not receiving data.
Custom search commands, alert actions, or alert-triggered scripts fail with no results
Verify that you have successfully integrated your ServiceNow instance with your Splunk platform instances. If the configuration is unsuccessful, your searches will return "No results found" and the Splunk platform logs a
u_splunk_incident does not exist error. You can find this error by searching for
If your integration is successful, but incident and event creation is still failing, search
"eventtype=snow_ticket_error" to check what errors are reported. If the failure reason is error code 302, revisit the ServiceNow URL that you entered on the Configure page. Make sure it is correct and does not end with any unnecessary special characters or trailing slashes.
Performance issue caused by large bundle replication
The two largest lookups,
cmdb_rel_ci.csv , cause performance issues with the ServiceNow app 4.0.2 because they are excessively large. To resolve this performance issue, upgrade to Splunk App for Servicenow 4.0.3, which no longer uses these two lookups, then disable the following two saved searches:
- ServiceNow CMDB CI Relation
- ServiceNow CMDB CI List
Create custom inputs for the Splunk App for ServiceNow
Share data in the Splunk App for ServiceNow
This documentation applies to the following versions of Splunk® App for ServiceNow: 4.0.3