topic Re: Splunk add-on for ServiceNow - send csv results from alert action in All Apps and Add-ons

Splunk add-on for ServiceNow - How to send csv results from alert action?

jformosa — Tue, 09 Aug 2022 13:46:56 GMT

I would either like to send the results table as the description field to ServiceNow or be able to pass the csv results and attach it to the opened incident ticket.
The goal is to work the ticket from ServiceNow without having to go into Splunk to review the results.

As of now in the description field i am passing
$result.src_ip$ $result.dest_ip$ $result.threat_intel_list$ $result.threat_match_field$ $result.threat_collection$ $result.original_sourcetype$ $result.count$
but the only passes the first result of the report.

Has anyone be able to pass the all the search results into a single ServiceNow ticket?

Re: Splunk add-on for ServiceNow - send csv results from alert action

joga — Mon, 08 Aug 2022 14:52:48 GMT

I am also working on case like this. How ever I found a way to do the same using existing integration. You can use the | stats to output all the results in one column. It will be messy for sure. Also in Service now ticket there is a character limit to all the fields like description , short description. you have to keep that in mind too before setting up alert like this.

| stats values(fieldname) by some field

Re: Splunk add-on for ServiceNow - send csv results from alert action

joga — Mon, 08 Aug 2022 14:54:34 GMT

have you got any solution for this? I am willing to attach the csv of the results to be attached in the SNOW ticket. That would be really great.