All Apps and Add-ons

How to get correctly group_assignment_name for Incidents coming from ServiceNow, instead of the sys_id of the group name in Splunk?

skender27
Contributor

Hi,

I am using the app and the add-on ServiceNow Event Management for Splunk 6.2.3.
It is working fine, but I get as the assigned group name the sys_id unique of the group in ServiceNow to which the incident has been assigned (so I get hsgsjdklfkshagsgdj instead of the readable group name).
I checked the sys_user_group_list_lookup.csv file under /lookup directory in Splunk, but I do not see any such field...

Anyone has tried the same thing?

Thanks,
Skender Kollcaku

0 Karma
1 Solution

skender27
Contributor

Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

state=7 means that incident has been closed!

alt text

Thanks anyway,
Skender

View solution in original post

0 Karma

johngut
New Member

Did you ever find an answer for this issue?

0 Karma

skender27
Contributor

Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

state=7 means that incident has been closed!

alt text

Thanks anyway,
Skender

0 Karma

skender27
Contributor

In fact, in the illustration you see two panels of what I get from the dashboard of the incidents:
Instead of the unreadable code (which is the sys_id) I'd need the real name of the group to which the incident was assigned...

I hope it is clear the problem occuring to me.

Thanks in advance,
Skender

alt text

0 Karma

skender27
Contributor

...and here is the search used to produce this dashboard:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group!="", assignment_group, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

0 Karma

mgranger1
Path Finder

I'm having the same issue for lots of fields within this app. Is there a way to do a dynamic "lookup" based on the sys_id? Particularly for fields like:

assigned_to
assignment_group
cmdb_ci
opened_by
requested_by
u_category_list
u_requesting_group
u_user

These would be incredibly useful fields IF we could actually read them in a meaningful way.

0 Karma

surekhasplunk
Communicator

for me eventtype=snow-incident itself doesn't return me any data. Please help

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...