All Apps and Add-ons

Can we update splunk drill now URL in alert actions

vamsi92
Explorer

Hi ,
I have splunk enterprise in linux environment . And I am using with service-now integration. For that i am using Splunk add-on for service-now.
For creating incidents in servicenow from splunk i am using "|snowincident" command, its working fine.
example:
| snowincident --category "Network" --contact_type "Walk-in" --subcategory "Database" --short_description "unique sources available" --ci_identifier "8484eb82c1a8014b7bd0919758dcc3c2" --urgency 1 --impact 1 --splunk_url "http://www.google.co.in" --comments "unique sources available" --correlation_id "DataFetch.sourcenumber1"

there is a button appearing in service-now called "splunk drilldown" and it takes us to the "splunk url" we configured in the command above.
but when i am automating a search using alerts and when configuring alert actions there is "ServiceNow Incident Integration" in there there is no option to manually enter splunk URL. and in the splunk url is filled automatically like "http://"servername:8000/xyz"
when i am trying to open the url its saying web page not found. so i manually replaced the servername in url to server ip like "http://"xx.xx.xx.xx:8000/xyz" then the link is working.
Its unlikely for every time i need to go and edit the url after page opes and says webpage not found. where can i change the server name or ip which will effect the url.
note: i already tried changing name to ip in "settings ->server settings->general settings" i changed the splunk server name and also under index setting the default host name.
please help.

0 Karma

roden
Loves-to-Learn Lots

TA-ServiceNow-SecOps/bin/sn_sec_util.py contains the Python code that sets dataMap['external_url'] to "https://<host>:8000/app/search/search" if the  external_url value is not set in the dataMap. You could back up this file and hard-code the IP in place of the host, and update the port as required.

You could also add this field (or others) via the GUI by modifying TA-ServiceNow-SecOps/default/data/ui/alerts/sn_sec_event_alert.html (and others), specifying a control-group div, and adding the relevant label, controls div, input field and optional help-block span element. Some additional modification may be required to have the external_url field value processed correctly by the associated script(s).

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

The modular alert feature of the service now add-on does not currently expose the drill down url to allow you to override the value.
I would suggest to use the custom command instead and leverage the spunk_url argument. You can use the examples here:
http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomsearchcommands

0 Karma

vamsi92
Explorer

Hi, I have already used the custom command with "|snowincident" and all but its a manual run right. I am speaking about the alert i configured which can auto generate incident in service now with splunk drill down. Which inturn redirecting to page not found as instead of IP its take server name.
So is there no way to change that thing to IP. Any settings we can change or anything?

0 Karma

vamsi92
Explorer

Please Answer this question if anyone knows

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.