Splunk ServiceNow Integration snowincidentstream e...

Alerting

Hello everyone!

I'm trying to get Splunk to create an incident in ServiceNow when an alert is triggered. I'm using the "snowincidentstream" command, but receive an error that says "command="snowincidentstream", Failed to create ticket. Return code is 400. Reason is Bad Request".

I'm following the example in the docs running a query similar to that below:

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95
| eval category="Software"
| eval contact_type="Phone"
| eval ci_identifier="8214eb87c0a8018b7bd0919758dcc3c2"
| eval priority="1"
| eval subcategory="Database"
| eval short_description="CPU on ". host ." is at ". CPU ""
| eval account="user"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| eval correlation_id="de305d51-15b4-411b-adb2-fb6b9e546013"
| snowincidentstream

What could be wrong? Can someone please help?

Thank you so much!

Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...