Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the incident number for alert action

santosh_sshanbh
Path Finder
‎05-10-2021 07:52 AM

I am using Splunk add-on for ServiceNow in my ITSI instance. I have configured Create SNOW incident action for the episode which is successfully creating incident in ServiceNow.

As a next step I wan to inform the operations team about the recently created incident so I have configured another action for the same episode to send email. But I dont know how I can get the number of the recently created incident which I can send in the email subject line?

Can anyone guide me on this?

 

 

Labels (2)
Labels
0 Karma
Reply

aasabatini
Motivator
‎05-10-2021 11:41 PM

Hi @santosh_sshanbh 

You can base the alert on this search

| rest /servicesNS/-/-/saved/searches 
| search title="*" 
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated

This search show you all triggered alerts and correlation searches

if you want set to monitor only 1 alert/correlation search put the name search on this filter 

| search title="<search title>"

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

santosh_sshanbh
Path Finder
‎05-10-2021 11:59 PM

Hi @aasabatini  for your response. However, I am not clear on how I can get the incident number from this search. Basically I have an aggregation policy with 2 action rules

1. Creates SNOW incident using one of the action of Splunk add-on for ServiceNow

2. Calls send email alert action

Now my requirement is I need to embed the number of the incident (INCXXX) just created as a result of action #1 above in the body or subject line of the email. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...