How to audit records deleted from "Deleted Records" table

Go to solution
saahilkumar
Tera Contributor

‎05-30-2017 01:28 AM

Hi All,

Records deleted from a table say Incident table is stored in Deleted Record. However, what if the record is further deleted from Deleted Records(sys_audit_delete_) table. Is there a way to audit it.

Requirement is to find an Incident number that triggered SLA breach notifications to a set of users in a group but when I look for the incident number in my instance, it is nowhere to be found. I checked in incident archive(Incident was not there). Also, in   task_sla table and could see that the incident is recorded in task_sla table as being breached. But when I try to reopen the incident, it is not found, I suspect the incident number has been deleted from the system.

below is the screenshot I get while trying to open the incident from the task_sla table

find_real_file.png

Thanks in advance

Preview file
2 KB
0 Helpfuls
  • 9,685 Views
1 ACCEPTED SOLUTION

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee

‎05-30-2017 01:36 AM

if   you go into the sys_audit table, you can see who deleted the incident like this:



find_real_file.png



Btw, if you don't know who   deleted stuff in production, I would recommend looking over the people having access right to delete. Seems to be to many of them.



//Göran


View solution in original post

Preview file
202 KB
5 REPLIES 5

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee

‎05-30-2017 01:36 AM

if   you go into the sys_audit table, you can see who deleted the incident like this:



find_real_file.png



Btw, if you don't know who   deleted stuff in production, I would recommend looking over the people having access right to delete. Seems to be to many of them.



//Göran


Preview file
202 KB

Go to solution
saahilkumar
Tera Contributor
In response to Goran WitchDoc

‎05-30-2017 03:44 AM

Hi Goran,



Thanks for the assistance. However, the sys_audit table in my production instance is so big that it doesn't open at all, it keeps refreshing if try opening on it. Not sure how can I   query on this table.


I would have applied filter, but for then the records in sys_audit table doest appear at all. Is there a way that I can check on this table



Note: sys_audit table in my sub-prod instance do open though it takes a bit longer to open




Thanks in advance


0 Helpfuls

Go to solution
Annay Das3
Giga Contributor
In response to Goran WitchDoc

‎06-25-2019 12:37 PM

Hi Göran, Thanks for your tip to look in sys_audit table, I'm able to trace my missing record. However, in the audit table I find an entry, "Field: DELETED"... does that point to when and by whom was the record deleted? Or it just means some particular form field was there which has now been removed from the form? Please help on this, it's the last loose end before I wind up my investigation into the missing record issue in production.
0 Helpfuls

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee
In response to Annay Das3

‎06-26-2019 07:16 AM

Hi Annay,

That is true. that is when the record was deleted. In a baseline installation, audit isn't turned on for recording changed on what is visible on a form.

//Göran
Feel free to connect:
LinkedIn
Subscribe to my YouTube Channel
or look at my Book: The Witch Doctor’s Guide To ServiceNow