Issue with PA App Sec job
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-24-2023 07:00 AM
The [PA App Sec] Daily Data Collection job is running with errors. The specific error is "Result has xx,xxx records. Only allowed subset of 5,000 records are stored." I've got a few questions, looking for advice:
1. I disabled this job, so why is it still running? [PA AppSec] Daily Data Collection runs twice - Support and Troubleshooting (servicenow.com) seems to try to explain it, but not quite. I also changed the frequency to 'On Demand' but I'm getting this error every HOUR.
2. How can I edit this one indicator? 'Security constraints' won't allow me to disable the 'collect records' or even disable or delete this indicator. I don't want to change the 5,000 property just because of this one problematic indicator.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2023 02:11 PM
Hey @Ryan S,
We had the same issue and found a scheduled script execution, '[AppSec] Daily Data Management', that runs the '[PA AppSec] Daily Data Collection' job. You should find it at the link below updating it with your instance:
[your_instance].service-now.com/nav_to.do?uri=sysauto_script.do?sys_id=2b98d54f53332300628eddeeff7b120b
1. What the knowledge article you referenced doesn't mention is that the data collection job will be executed even if it's inactive. To keep the job from running, comment out the following code in '[AppSec] Daily Data Management':
// get PA job and execute it.
var appsec_pa_job = new GlideRecord(constants.tables.SYSAUTO_PA);
if(appsec_pa_job.get('name', constants.jobNames.APPSEC_DAILY_DATA_COLLECTION)){
SncTriggerSynchronizer.executeNow(appsec_pa_job);
}
2. I'm not sure you can delete that indicator, but if you make the change above you won't have to worry about the data collection errors.
If you decide to enable that data collection, you can override the system property for maximum number of records at the indicator source, but not the individual indicator. Select ‘Override records collection’ on the Records Collection tab and update the value. This will only affect the indicators related to that indicator source. The 'Collect records' on the indicator is just to save the related records on the Analytics Hub view (setting this to false will not affect the indicator’s score).
Hope that helps!
-Dillon
