All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ServiceNow Incident Integration: How to create/update incident using alert

apujari
Explorer
‎05-13-2020 10:53 PM

I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma
Reply

saroj_gharat
New Member
‎07-14-2022 02:29 AM

Were you able to resolve this ? We are planning to use Cor-relation id to update the same incident. But we do not want a closed incident to be opened again. @apujari 

0 Karma
Reply

ramganeshn
Explorer
‎07-14-2022 04:01 AM

Nope. I am not able to resolve this. I am using the same correlation ID. Still, a new incident is getting created every time. Any help on this is much appreciated.

0 Karma
Reply

ramganeshn
Explorer
‎07-07-2022 02:44 AM

Hi, I have a requirement to update an incident that had been created. Every time, my alert gets triggered, it gets a new incident created in ServiceNow. I would like to get some clarity here as to whether I can be able to close an incident once it is created or can I be able to update some comments or update status or update description/short description. Please help me with the steps or process to be followed in updating an incident.

I am trying to update an incident that was created by an alert action from Splunk ITSI. But, every time the alert gets triggered, a new incident is getting created instead of updating the existing incident. I tried everything mentioned in the link given below:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts#Update_behavior_...

Please guide as to what needs to be done to update a previously created incident? Should I need to get the status of the incident from ServiceNow and use that in the search query when I try to update the incident? 

Thanks!

0 Karma
Reply

bray1111
Explorer
‎01-08-2024 02:00 PM

What endpoint are you using in the custom action configuration?  I found that if i used something like /api/now/table/incident instead of /api/now/table/x_splu2_splunk_ser_u_splunk_incident(recommended by the alert action gui), I would get new incidents every time. 

The downside of using the recommended endpoint is that an intermediate table gets populated in ServiceNow.  The upside is that it does correlations based on the correlation ID sent over from the alert action.  That correlation ID is a hash of the alert name so any future actions that go across to ServiceNow will still correlate under that correlation ID (and originally created incident) and not create new incidents.

Reply

kpanchal_splunk
Splunk Employee
Splunk Employee
‎07-25-2020 10:08 AM

@apujari 

ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...