topic Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident? in All Apps and Add-ons

Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Tue, 29 Sep 2020 19:27:25 GMT

Hi All!

I am looking for best practices around how to update the Splunk Add-on for ServiceNow to populate custom mandatory fields in an Incident only. To create a new parameter (e.g. action.snow_incident.param.<custom field>), the most notable files to update that I can see are the following:

snow_incident_base.py
snow_incident_m.py
eventgen.conf
updating/ creating CSVs under /samples (may not be necessary, but would update here to be consistent)
snow_incident.html for front end interaction with workflow actions

Are there other scripts or.conf files out there that need to be updated in order to make this successful on either the Splunk or ServiceNow side?

Thanks in advance!

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

sloshburch — Tue, 15 May 2018 00:55:22 GMT

Trying to help but out of my knowledge realm. Was there no good documentation on this type of thang? Or was there a specific docs page that got you close that's worth highlighting for context?

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Tue, 15 May 2018 14:10:50 GMT

Nah, aint no thang. This page is helpful but doesn't quite get me there with customizing:

http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomalertactions

What I have listed above is almost there. The behavior I see after adding to the above scripts and files is - Incidents are created, but seem to be stored behind the scenes. What I mean by this is after I revert back to the orig scripts, all of the INC that were created using the new ones appear in Service-Now. I poked around in the Splunk App for ServiceNow, but I don't see anything that appears to need updating for populating custom fields, although I may have overlooked something.

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

sloshburch — Wed, 16 May 2018 15:51:22 GMT

Cool. Thanks for adding that context and what helped. Lemme see what other eyes I can get on this.

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Wed, 16 May 2018 16:02:31 GMT

Thank you!

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

mreynov_splunk — Wed, 16 May 2018 19:36:14 GMT

Integration works as follows: when incident data hits SNOW, it is first entered into an interstitial table "Splunk Incident".
Therefore to make this work you will need to adjust that table definition on the SNOW side. (This is part of the "Splunk Integration" SNOW app.
Then you will need to change a few files, depending on the type of action you want to use (alert has custom UI, for example).

With the above said, let me ask you this:
- can you include this data in the description field?
- can you set these fields using custom workflow on the SNOW side?

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Tue, 19 Jun 2018 20:01:22 GMT

Hey - did you happen to hear back from anyone on this?

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

sloshburch — Wed, 20 Jun 2018 13:00:21 GMT

Peek at the response from @mreynov. There's no one more qualified 😉

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Tue, 06 Nov 2018 16:04:59 GMT

Hi! The answer should be yes to both of your questions.

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias — Thu, 10 Jan 2019 23:02:40 GMT

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

chrisyounger — Mon, 30 Sep 2019 00:09:54 GMT