Splunk® App for ServiceNow

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk App for ServiceNow

Duplicate inputs for some tables

If you upgraded your Splunk Add-on for ServiceNow from a version earlier than 2.7.0, you might see the following inputs listed on the ServiceNow Data Input page.

  • cmdb_ci_list
  • cmn_location_list
  • sys_choice_list
  • sys_user_group_list
  • sys_user_list

These are duplicates with the inputs of the same name that do not have _list at the end, and are no longer functional.

If you see these inputs, follow the migration instructions in the Release notes for the Splunk Add-on for ServiceNow in the Splunk Add-on for ServiceNow manual, part of the Supported Add-ons documentation.

Find relevant errors

Search for the following event types to find errors relevant to the Splunk App for ServiceNow.

Search eventtype=snow_ta_log_error for all errors related to the add-on functionality.

Search eventtype=snow_ta_collector_error for all errors related to data collection from ServiceNow.

Search eventtype=snow_setup_error for all errors related to the setup configuration.

Search eventtype=snow_ticket_error for all errors related to creating events/incidents in ServiceNow from the Splunk platform.

Missing data

If you find that you are not getting data for all of the inputs that you have enabled, verify that the ServiceNow account that you are using to connect to your ServiceNow instance from the Splunk platform has, at minimum, read-only access to all of the database tables from which you are attempting to collect data. Then, disable and enable the inputs for which you were not receiving data.

Custom search commands, alert actions, or alert-triggered scripts fail with no results

Verify that you have successfully integrated your ServiceNow instance with your Splunk platform instances. If the configuration is unsuccessful, your searches will return "No results found" and the Splunk platform logs a u_splunk_incident does not exist error. You can find this error by searching for eventtype=snow_ticket_error.

If your integration is successful, but incident and event creation is still failing, search "eventtype=snow_ticket_error" to check what errors are reported. If the failure reason is error code 302, revisit the ServiceNow URL that you entered on the Configure page. Make sure it is correct and does not end with any unnecessary special characters or trailing slashes.

Performance issue caused by large bundle replication

The two largest lookups, cmdb_ci_list_lookup.csv and cmdb_rel_ci.csv , cause performance issues with the ServiceNow app 4.0.2 because they are excessively large. To resolve this performance issue, upgrade to Splunk App for Servicenow 4.0.3, which no longer uses these two lookups, then disable the following two saved searches:

  • ServiceNow CMDB CI Relation
  • ServiceNow CMDB CI List
Create custom inputs for the Splunk App for ServiceNow
Share data in the Splunk App for ServiceNow

This documentation applies to the following versions of Splunk® App for ServiceNow: 4.0.3


Hi Vsingla1 -- I'm not sure what might be causing that. If you have a support entitlement, I'd suggest filing a support case. If you don't, I suggest posting this question to Splunk Answers to get more visibility.

Rpille splunk, Splunker
August 31, 2017

I installed the app on a standalone search head. As a first step after installing the app, On configuration page the app gives the below error:
Unexpected error "" from python handler: "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:603)". See splunkd.log for more details.
Does any one have any idea about this?

August 28, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters