So we just enabled our ServiceNow connector on a heavy forwarder of ours to ingest all of our data in our ServiceNow Cloud via the API. The problem we're running into is that our ServiceNow database is so huge that it's hanging up on the sys_audit table and it's hindering other company activities because ServiceNow is telling those users that there are too many connections.
So I tried to disable that input in Splunk and told Splunk don't ingest anything from sys_audit, sys_log, syslog_transactions because, well, I really don't need that data for what we're attempting to accomplish. Once I disabled those, I bounced the heavy forwarder, but we're still seeing in the logs both on the forwarder and the SN logs that we're still attempting to pull that data from it.
Anyone got any suggestions on how to not pull in this data? Thank you all for your help in advance.
↧