topic Re: snowincident command not working, its not getting detected as search/spl command in All Apps and Add-ons

snowincident command not working, its not getting detected as search/spl command

nishad_tupe — Wed, 30 Sep 2020 03:57:44 GMT

Hello,

I have installed Service Now Add on App, my service now administrator has followed all the steps needed from the Service now side.
Using the alert action with ServiceNow incident integration works fine and creates incidents in service now. However, we have limited fields that we can define in the ServiceNow alert action like we cannot define field IMPACT and Servicenow auto assigns the impact.

So I wanted to use a custom generating command that gives me flexibility to generate the SeviceNow incident with additional fields as parameters. Here is my search (My alert condition if servers exceed > 90% cpu) raise ServiceNow incident

index=os host=* sourcetype=cpu cpu=all NOT(
[| inputlookup servers.csv
| where status="decom" OR status="complete blacklist" OR status="DC Outage"
| rename target as host
| table host])
| eval PercentCPULoad = 100 - pctIdle
| stats min(PercentCPULoad) as PercentCPULoad by host
| eval hostname=upper(mvindex(split(host,"."),0))
| where PercentCPULoad >= 90
| eval timestamp=strftime(now(),"%Y-%m-%d %H:%M:%S")
| eval Impact = 1
| snowincident --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname

However, this doesn't work and I get below error message.
*Error in 'snowincident' command: This command must be the first command of a search. *

As per Splunk documentation, there certain steps that we need to carry on the ServiceNow server to integrate with Splunk, my SNOW administrator confirmed that he has followed all the steps as per the below documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise

Can you please suggest what is missing, for searching I am using the SNOW_TA app the command 'snowincident' is not detected.

Re: snowincident command not working, its not getting detected as search/spl command

to4kawa — Thu, 30 Jan 2020 22:24:14 GMT

try workflow
workflow

Re: snowincident command not working, its not getting detected as search/spl command

spayneort — Sun, 02 Feb 2020 16:12:40 GMT

Use the snowincdentstream command instead.

Convert the --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname part of your search to eval statements and then add | snowincdentstream at the end.

Example from above documentation:

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| snowincidentstream

Re: snowincident command not working, its not getting detected as search/spl command

nishad_tupe — Mon, 03 Feb 2020 20:44:58 GMT

Hello, thanks Spayneort -
Yes, I tried this and it works as expected. Though there is one glitch at least from the ServiceNow implementation side.
I cannot pass certain arguments for e.g. description -> that maps the ServiceNow description field.
ServiceNow TA App Python files come with default parameters and unfortunately not all fields are available.
For e.g., I want to pass the description even if Eval - it doesn't get mapped to the description field in service now because incident_base.py is missing that field any idea how can we pass more custom fields.

Re: snowincident command not working, its not getting detected as search/spl command

nishad_tupe — Mon, 03 Feb 2020 20:47:37 GMT

The workflow works for incident data you are bringing from the service now database, where you can have drill down on specific search/report/dashboard and it will open up the ServiceNow incident for details.
Hope this helps.

Re: snowincident command not working, its not getting detected as search/spl command

spayneort — Mon, 03 Feb 2020 21:13:16 GMT

See https://answers.splunk.com/answers/736869 for instructions on adding additional fields.

There is also https://splunkbase.splunk.com/app/4811/. This app does not require the integration to be set up on the ServiceNow side and allows more fields to be used by default.

Re: snowincident command not working, its not getting detected as search/spl command

nishad_tupe — Mon, 03 Feb 2020 21:54:13 GMT

Thank you once again, indeed this is a great help. As per the post, https://answers.splunk.com/answers/736869, I am not interested in UI so following the first two steps will give me the required fields right, I don't want to have changes in the HTML since I am not using UI based alert action.