All Apps and Add-ons

ServiceNow Incident Integration: How to create/update incident using alert

apujari
Explorer

I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma

saroj_gharat
New Member

Were you able to resolve this ? We are planning to use Cor-relation id to update the same incident. But we do not want a closed incident to be opened again. @apujari 

0 Karma

ramganeshn
Explorer

Nope. I am not able to resolve this. I am using the same correlation ID. Still, a new incident is getting created every time. Any help on this is much appreciated.

0 Karma

ramganeshn
Explorer

Hi, I have a requirement to update an incident that had been created. Every time, my alert gets triggered, it gets a new incident created in ServiceNow. I would like to get some clarity here as to whether I can be able to close an incident once it is created or can I be able to update some comments or update status or update description/short description. Please help me with the steps or process to be followed in updating an incident.

I am trying to update an incident that was created by an alert action from Splunk ITSI. But, every time the alert gets triggered, a new incident is getting created instead of updating the existing incident. I tried everything mentioned in the link given below:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts#Update_behavior_...

Please guide as to what needs to be done to update a previously created incident? Should I need to get the status of the incident from ServiceNow and use that in the search query when I try to update the incident? 

Thanks!

0 Karma

kpanchal_splunk
Splunk Employee
Splunk Employee

@apujari 

ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...