- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to get the incident number for alert action
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the incident number for alert action
I am using Splunk add-on for ServiceNow in my ITSI instance. I have configured Create SNOW incident action for the episode which is successfully creating incident in ServiceNow.
As a next step I wan to inform the operations team about the recently created incident so I have configured another action for the same episode to send email. But I dont know how I can get the number of the recently created incident which I can send in the email subject line?
Can anyone guide me on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can base the alert on this search
| rest /servicesNS/-/-/saved/searches
| search title="*"
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value=""
| sort -lastUpdatedThis search show you all triggered alerts and correlation searches
if you want set to monitor only 1 alert/correlation search put the name search on this filter
| search title="<search title>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aasabatini for your response. However, I am not clear on how I can get the incident number from this search. Basically I have an aggregation policy with 2 action rules
1. Creates SNOW incident using one of the action of Splunk add-on for ServiceNow
2. Calls send email alert action
Now my requirement is I need to embed the number of the incident (INCXXX) just created as a result of action #1 above in the body or subject line of the email.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
