https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300621#M90506 <P>Refer below doc and try to place lookup at specified position:</P> <P><A href="https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups">https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups</A></P> Wed, 04 Apr 2018 12:30:31 GMT p_gurav 2018-04-04T12:30:31Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300617#M90502 <P>Hi Team,</P> <P>Got a request to configure a lookup called cmdb_ci_computer.csv that containing anything with subcategory of computer in a sourcetype=cmdb_ci_list? This should be configured under Splunk_TA_snow/local/savedsearch.conf.<BR /> Could please guide me how to create and configure this lookup.</P> <P>thanks in advance. </P> Tue, 29 Sep 2020 18:45:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300617#M90502 Hemnaath 2020-09-29T18:45:57Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300618#M90503 <P>Hi All,<BR /> Can anyone guide me on this </P> Mon, 02 Apr 2018 17:14:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300618#M90503 Hemnaath 2018-04-02T17:14:18Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300619#M90504 <P>Hi All, </P> <P>Any help will be much appreciated. </P> Tue, 03 Apr 2018 10:35:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300619#M90504 Hemnaath 2018-04-03T10:35:28Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300620#M90505 <P>Hi All, </P> <P>Can anyone throw me some lights on this, I want to know to how to configure a lookup in splunk_TA_servicenow.</P> Tue, 29 Sep 2020 18:46:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300620#M90505 Hemnaath 2020-09-29T18:46:25Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300621#M90506 <P>Refer below doc and try to place lookup at specified position:</P> <P><A href="https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups">https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups</A></P> Wed, 04 Apr 2018 12:30:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300621#M90506 p_gurav 2018-04-04T12:30:31Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300622#M90507 <P>Hi Gurav, thanks for your inputs, but I had gone through this document and created the below steps, could please guide me whether steps are correct .</P> <PRE><CODE>1) Create a empty csv file under Splunk_TA_snow/lookup/cmdb_ci_computer.csv 2) Create a Eventtype [snow_cmdb_ci_Computer] search = sourcetype=snow:cmdb_ci_Computer 3) Map the eventtype in the /local/savedsearches.conf [ServiceNow CMDB CI Computer] disabled = 0 action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 * * * * description = Saved search which populates the CMDB CI Computer from ServiceNow dispatch.earliest_time = 0 dispatch.latest_time = now display.general.type = statistics display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = search request.ui_dispatch_view = search search = eventtype=snow_cmdb_ci_computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype | inputlookup append=t cmdb_ci_computer_lookup | dedup sys_id | outputlookup cmdb_ci_computer_lookup </CODE></PRE> Wed, 04 Apr 2018 12:36:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300622#M90507 Hemnaath 2018-04-04T12:36:23Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300623#M90508 <P>Do you want to create new lookup or use existing in query?</P> Wed, 04 Apr 2018 13:12:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300623#M90508 p_gurav 2018-04-04T13:12:55Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300624#M90509 <P>I want to use existing in the query </P> Wed, 04 Apr 2018 13:37:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300624#M90509 Hemnaath 2018-04-04T13:37:51Z https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300625#M90510 <P>Hi Gurav, the below steps helped me to get the required output.</P> <P>Procedure : </P> <PRE><CODE>1) First executed a simple search command to filter the sourcetype containing only with the field values called Computer from the seleclted field=subcategory sourcetype=snow:cmdb_ci_list subcategory=Computer 2) Created a Eventtype in the props.conf with the sourcetype=snow:cmdb_ci_list subcategory=Computer along with other exesisting eventtype in the Splunk_Ta_Snow app Eventtype [snow_cmdb_ci_Computer] search = sourcetype=snow:cmdb_ci_list subcategory=Computer 3) Created a Savedsearch query with the newly created eventtype to filter the events contains anything with subcategory of "Computer". [ServiceNow CMDB CI SUB COMP List] disabled = 0 action.email.reportServerEnabled = 0 action.email.useNSSubject = 1 alert.track = 0 cron_schedule = 0 * * * * description = Saved search which populates the CMDB CI contains anything with subcategory of "Computer" dispatch.earliest_time = 0 dispatch.latest_time = now display.general.type = statistics display.visualizations.show = 0 enableSched = 1 request.ui_dispatch_app = search request.ui_dispatch_view = search search = eventtype=snow_cmdb_ci_Computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype | inputlookup append=t cmdb_ci_list_lookup | dedup sys_id | outputlookup cmdb_ci_list_lookup 4) After finishing with the above steps the app was pushed to the search head cluster environement via deployer. /opt/splunk/bin ./splunk apply shcluster-bundle --answer-yes -target <A href="https://splunkinstancename:8089" target="test_blank">https://splunkinstancename:8089</A> -auth admin:password 5) We are able to see the required output in splunk with the events containing the field values called Computer from the seleclted field=subcategory. </CODE></PRE> Thu, 05 Apr 2018 14:41:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-lookup-in-Splunk-Add-on-for-ServiceNow/m-p/300625#M90510 Hemnaath 2018-04-05T14:41:00Z