topic Re: How do I change the value of a field if a condition occurs? in Splunk Search

How do I change the value of a field if a condition occurs?

diogenesloazeve — Thu, 07 May 2020 13:24:00 GMT

Hi community!

I'm using Splunk Entreprise to create dashboards with my client's ServiceNow incident information.

My company only look at tickets from assignment_group A.
So, I have a ticket X that belongs to assignment_group A with Status "New".
However, this ticket changed to assignment_group B and is no longer serviced by my company. This will result in a second ServiceNow extraction, that ticket will not appear.

So, I need to create a logic so that when this happens, Splunk changes the Status of ticket X to "Reassigned".

Does anyone know how to do this?
Thanks!

Re: How do I change the value of a field if a condition occurs?

richgalloway — Thu, 07 May 2020 13:36:21 GMT

How does Splunk know this has happened?

Re: How do I change the value of a field if a condition occurs?

diogenesloazeve — Thu, 07 May 2020 14:17:24 GMT

Hi richgalloway!

The ticket X will already be in the index, as it entered as assignment_group A and Status New.
However, as ticket X will not appear in the next ServiceNow extraction, Splunk should only change the Status to Reassigned.

Is it possible to create such a rule?

Re: How do I change the value of a field if a condition occurs?

richgalloway — Thu, 07 May 2020 14:33:57 GMT

I'm not sure my question was answered so I'll re-phrase it. What data does Splunk see that tells it the ticket was re-assigned?

Re: How do I change the value of a field if a condition occurs?

diogenesloazeve — Thu, 07 May 2020 14:39:47 GMT

In fact, there is no field to indicate this.
Basically, if I have a ticket in the index and it no longer appears in the new extractions, it must change the status to reassigned

Re: How do I change the value of a field if a condition occurs?

DalJeanis — Thu, 07 May 2020 14:45:08 GMT

so, will Splunk know that there has been an extraction that does not contain this incident? For instance, can you find the most recent extraction date, and if there is no record for that incident with that extraction date, then create a new record with the status as "reassigned"?

Re: How do I change the value of a field if a condition occurs?

richgalloway — Thu, 07 May 2020 14:59:52 GMT

Still not clear on the detection method, but I want to ask: Do you expect the change the indexed data to reflect the new status? If so, that is not possible. Splunk does not allow indexed data to be changed at all.

Re: How do I change the value of a field if a condition occurs?

diogenesloazeve — Thu, 07 May 2020 16:57:51 GMT

Understood. So is there a way that when this happens, Splunk will create a new ticket with the same information and just change the status to reassigned?

Re: How do I change the value of a field if a condition occurs?

richgalloway — Thu, 07 May 2020 17:01:40 GMT

And we're back to where we started. "when this happens" really needs to be a discrete event that Splunk can detect and then act on.

Re: How do I change the value of a field if a condition occurs?

diogenesloazeve — Thu, 07 May 2020 17:05:12 GMT

And is there a way to make Splunk detect an event like this?

Re: How do I change the value of a field if a condition occurs?

shivanshu1593 — Thu, 07 May 2020 17:42:47 GMT

That's what Rich is asking. my friend. Helping to clarify his question more, when the incident, let's name it INC001 for our example, gets reassigned from assignment_group A to assignment_group B in ServiceNow, does ServiceNow send some sort of event to Splunk, saying that INC001 has been reassigned to a new group? If so, only then we can conjure up some SPL to help you change the assignment. If not, then it's not possible, cos there's no other way for Splunk to know if the assignment group of the Incident was changed.

Hope this helps you to clarify the doubts here.