All Apps and Add-ons

In the Splunk Add-on for ServiceNow, how do set extra custom fields when creating an incident? Specifically updating the description field.

SplunkTrust
SplunkTrust

My ServiceNow instance has custom fields on the Incident form that I need to set when raising an incident from Splunk using the official TA.

How can I do this?

1 Solution

SplunkTrust
SplunkTrust

Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:

For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.

1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py and near the top there is a list of all fields, add the new field like so:

alt text

2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py and add the new field in two places like so:

alt text

3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html and add a new UI element for the field:

(note due to the attachment limit, see the next comment on this question)

View solution in original post

New Member

After making changes/editing to step 1,2,3 files.  what is the step by step way to see the changes  as indicated in the picture above?

0 Karma

SplunkTrust
SplunkTrust

third image:

alt text

fourth image:

alt text

0 Karma

Explorer

This post is invaluable! Many thanks for this article.

Regards,
Hans

0 Karma

Communicator

Excellent! Although your step 1 and step 2 images didn't post. I know it's been over several months since this post. Would you be able to upload step 1 and 2 images? Thanks

0 Karma

Thank you 🙂

0 Karma

SplunkTrust
SplunkTrust

(continued from other answer)

alt text

4) Now restart your search head and you should see the new field in the alert action UI:

alt text

5) Trigger the alert to make the REST call to ServiceNow. You should now go see your friendly ServiceNow administrator and ask them to please updating the Mapping in the Splunk transform table to map the new field to the equivalent field on the Incident form. Its a couple of clicks which hopefully they can do for you on the spot. I think the table with the mapping is x_splu2_splunk_ser_u_splunk_incident but if they already installed the app or updateset for you, then they should be able to find it pretty easily.

Hope this helps others, please upvote if it is useful to you!

I am also not able to see above both images. Tried different browsers 😞

0 Karma

Explorer

Thank you for posting this I would like to give this a try. The two screenshots you added are not available. Can you try uploading them again?

Thank you.

0 Karma

SplunkTrust
SplunkTrust

OK Done. I had to put them on a third-party site so hopeful corporate firewalls don't block them

0 Karma

SplunkTrust
SplunkTrust

Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:

For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.

1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py and near the top there is a list of all fields, add the new field like so:

alt text

2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py and add the new field in two places like so:

alt text

3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html and add a new UI element for the field:

(note due to the attachment limit, see the next comment on this question)

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!