Correcting (Editing Deleting) Comments and Work Notes - ben-vargas/servicenow-wiki GitHub Wiki

This article describes how to edit or delete a comment or work note from a ServiceNow record that contains sensitive or inappropriate information. It addresses the need to modify these journal entries and their associated audit data to ensure data accuracy and compliance.

The Challenge

In ServiceNow, comments and work notes are stored as journal entries, and their changes are tracked through the audit log. While these features provide a valuable audit trail, they also present a challenge when a comment or work note containing sensitive or inaccurate information needs to be corrected. Deleting the original comment or note from the UI does not remove it from the underlying tables.

Solution Overview

To address this, you'll need to modify the journal entry directly in the sys_journal_field table and its corresponding audit entry in the sys_audit table. Additionally, if your instance uses History Sets, you will also need to purge those to have them rebuilt with the correct data.

Important Considerations

  • Direct Table Manipulation: Directly modifying records in sys_journal_field and sys_audit should be done with extreme caution. Always back up your data or test in a non-production environment first.
  • Performance: Querying the sys_audit table without proper filtering can seriously impact performance due to the potential volume of records. Make sure to use specific queries when querying this table.
  • Auditing: Understand that modifying these tables will alter the audit trail and this should be done with care.

Steps for Correcting a Comment or Work Note

  1. Obtain the Record's sys_id:

    • Open the ServiceNow record that contains the comment or work note you want to correct.
    • Right-click on the header of the record and select Copy URL to Clipboard.
    • The URL will contain the record's sys_id, like this: https://<instance-name>.service-now.com/nav_to.do?uri=incident.do?sys_id=85befb1c4a34bb12013b216a9fd5fee8
    • Extract the sys_id from the URL (e.g., 85befb1c4a34bb12013b216a9fd5fee8).

  2. Update the Journal Entry:

    • Navigate to the sys_journal_field table using the following URL, replacing <instance-name> and the sys_id extracted in the previous step: https://<instance-name>.service-now.com/sys_journal_field_list.do?sysparm_query=element_id=85befb1c4a34bb12013b216a9fd5fee8
    • This will show all journal entries associated with that record.
    • Locate the specific journal entry you want to modify.
    • You can edit the value field of the record or delete the entire record. Make changes as necessary to remove the sensitive data.

  3. Update the Audit Entry:

    • Navigate to the sys_audit table using the following URL, replacing <instance-name> and the sys_id: https://<instance-name>.service-now.com/sys_audit_list.do?sysparm_query=documentkey=85befb1c4a34bb12013b216a9fd5fee8
    • Locate the specific audit entry corresponding to the journal entry you modified.
    • You can either update the specific field or delete the audit record.

  4. Rebuild History Sets (If Necessary):

    • This step is only required if your instance uses history sets and the property glide.sys.activity_using_audit_direct is set to false. If direct auditing is being used, this step is not required.
    • Navigate to the sys_history_set table using the following URL, replacing <instance-name> and the sys_id: https://<instance-name>.service-now.com/sys_history_set_list.do?sysparm_query=id=85befb1c4a34bb12013b216a9fd5fee8
    • Locate all history set records related to this record.
    • Delete these history sets. Deleting the history set does not delete the underlying audit data.
    • The History Sets will be rebuilt the next time a user views the record, reflecting your changes in the audit and journal tables.

Best Practices

  • Backup: Before making any direct changes to sys_journal_field or sys_audit, create a backup of your data.
  • Non-Production Testing: Test these procedures in a non-production instance first to understand the full impact of these changes.
  • Specific Queries: When querying the sys_audit table, use the document key parameter as shown above, rather than querying the entire table, as this will cause performance issues.
  • Audit Trail Awareness: Be aware that these steps alter the audit trail. Document your actions and the reasons for the change.
  • Limited Access: Restrict access to these steps to only authorized administrators to prevent unintended consequences.
  • Automation: If you frequently perform these actions, consider creating a custom script to automate this process using GlideRecord. However, do so with extreme care and caution and limit access to the script.
  • Use the correct table: There is also the table sys_audit_delete which is specifically for tracking deleted records.

Example Server-Side Script (for Automation - Use with Extreme Caution)

This script shows an example of using GlideRecord to automate the process. This script should only be used with proper understanding and care.

(function() {
    // Input Values
    var recordSysId = 'SYS_ID_GOES_HERE';  // Replace with the sys_id of the target record
    var journalValueToFind = 'INCORRECT COMMENT'; // Replace with the value of the comment or work note
    // Use "" to delete the record instead of editing.
    var journalNewValue = 'CORRECTED COMMENT'; // Replace with the corrected comment or work note value

    try {
        // Update Journal Entry
        var journalGr = new GlideRecord('sys_journal_field');
        journalGr.addQuery('element_id', recordSysId);
        journalGr.addQuery('value', 'CONTAINS', journalValueToFind);
        journalGr.query();
        while (journalGr.next()) {
            if (journalNewValue == "") {
                journalGr.deleteRecord();
            } else {
                journalGr.value = journalNewValue;
                journalGr.update();
            }
        }

        // Update Audit Entry
        var auditGr = new GlideRecord('sys_audit');
        auditGr.addQuery('documentkey', recordSysId);
        auditGr.addQuery('newvalue', 'CONTAINS', journalValueToFind);
        auditGr.query();

        while (auditGr.next()) {
            if (journalNewValue == "") {
                auditGr.deleteRecord();
            } else {
                auditGr.newvalue = journalNewValue;
                auditGr.update();
            }
        }

        // Rebuild History Sets (if required)
        if (gs.getProperty('glide.sys.activity_using_audit_direct') != 'true') {
            var historySetGr = new GlideRecord('sys_history_set');
            historySetGr.addQuery('id', recordSysId);
            historySetGr.query();
            while (historySetGr.next()) {
                historySetGr.deleteRecord();
            }
        }

        gs.info("Changes made to records for sys_id: " + recordSysId);
    } catch (ex) {
        gs.error("An error occurred while trying to update the audit or journal entries: " + ex);
    }
})();

Conclusion

This article has outlined the necessary steps to correct or delete a problematic comment or work note, and their related audit trail, in ServiceNow. By manually or using the provided code (with extreme caution) making these changes, you can ensure the accuracy of your records, and maintain proper security and data integrity. Remember to always test any modifications in a non-production environment and exercise caution when working with audit data or system tables.