Hi @akkoem - I am just using some sample data for setting this up and I am creating that with this SPL:

| makeresults  format=csv data="Date,Branch,\"FileName\",\"ErrorReason\"
\"2025-10-13T21:23:31.257+13:00\",Waikato,\"G00027_.Progress_Note.PDF\",\"Matching of files into pairs was unsuccessful within threshold period.  Missing XML file.\"
\"2025-10-13T09:04:43.479+13:00\",Taranaki,\"G00030_202510130Silent_Documents.xml\",\"Access is denied\"
\"2025-10-13T10:44:00.788+13:00\",Waikato,\"G00027_Active_R.PDF\",\"Matching of files into pairs was unsuccessful within threshold period.  Missing XML file.\"
\"2025-10-13T10:02:04.579+13:00\",Waikato,\"G00027_Sales_Department.PDF\",\"Matching of files into pairs was unsuccessful within threshold period.  Missing XML file.\"
\"2025-10-11T08:00:16.858+13:00\",Waikato,\"G00027_Progress_Note_2.PDF\",\"Matching of files into pairs was unsuccessful within threshold period.  Missing XML file.\"
\"2025-10-10T12:41:42.938+13:00\",Waikato,\"G00027_Progress_Note_3.PDF\",\"Matching of files into pairs was unsuccessful within threshold period.  Missing XML file.\"
\"2025-10-10T16:20:55.225+13:00\",Waikato,\"G00027_Trail_balance.XML\",\"Access is denied\"
\"2025-10-09T12:00:02.921+13:00\",BOP,\"G00031_Control_totals.xml\",\"Access is denied\"
"

In the alert I am using the Trigger Condition Once and if I use the alert action Send Email I can simply specify Attach CSV or Inline Table and the 8 rows of data will arrive.

But in the action ServiceNow Incident Integration there is no such option and specifying the fields in Custom Fields only results in one of the rows of data values.

These are the settings in the Alert Action:

Using the Custom Fields I can set comments to FileName but only the last gets sent through and ideally I would want a table created in the ServiceNow ticket.

Is this possible?

Thanks

I believe there is no direct way of doing this unless you hit to Servicenow directly via REST with custom alert action or similar. However, this may work for the purpose of displaying it in the incident:

... your | makeresults ....
| eval html_row="<tr><td>" . Date . "</td><td>" . Branch . "</td><td>" . FileName . "</td><td>" . ErrorReason . "</td></tr>"
| stats list(html_row) as rows
| eval html_table="<table border='1'><tr><th>Date</th><th>Branch</th><th>FileName</th><th>ErrorReason</th></tr>" . mvjoin(rows, "") . "</table>"

then using $result.html_table$ in the description field.

if ServiceNow doesn't parse html, then in a similar fashion, concatenating result set into one field with some formatting should do the same.

.... your |makeresults ...
| eval header="Date | Branch | FileName | ErrorReason #NEXT#"
| eval myfield=Date." | ".Branch." | ".FileName." | ".ErrorReason."#NEXT#"
| eventstats list(myfield) as mylist
| nomv mylist
| eval resultset=header.mylist
| rex mode=sed field=resultset "s/#NEXT#/\n/g"
| fields resultset

then using $result.resultset$ in the description field.

this is not the exact solution but could be a work around. 

Thanks @akkoem - I will test some of these suggestions tomorrow and update.

if this work-around worked, could you pick it as an answer ?