All Apps and Add-ons

ServiceNow Incident Integration: How to create/update incident using alert


I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma

New Member

Were you able to resolve this ? We are planning to use Cor-relation id to update the same incident. But we do not want a closed incident to be opened again. @apujari 

0 Karma


Nope. I am not able to resolve this. I am using the same correlation ID. Still, a new incident is getting created every time. Any help on this is much appreciated.

0 Karma


Hi, I have a requirement to update an incident that had been created. Every time, my alert gets triggered, it gets a new incident created in ServiceNow. I would like to get some clarity here as to whether I can be able to close an incident once it is created or can I be able to update some comments or update status or update description/short description. Please help me with the steps or process to be followed in updating an incident.

I am trying to update an incident that was created by an alert action from Splunk ITSI. But, every time the alert gets triggered, a new incident is getting created instead of updating the existing incident. I tried everything mentioned in the link given below:

Please guide as to what needs to be done to update a previously created incident? Should I need to get the status of the incident from ServiceNow and use that in the search query when I try to update the incident? 


0 Karma


What endpoint are you using in the custom action configuration?  I found that if i used something like /api/now/table/incident instead of /api/now/table/x_splu2_splunk_ser_u_splunk_incident(recommended by the alert action gui), I would get new incidents every time. 

The downside of using the recommended endpoint is that an intermediate table gets populated in ServiceNow.  The upside is that it does correlations based on the correlation ID sent over from the alert action.  That correlation ID is a hash of the alert name so any future actions that go across to ServiceNow will still correlate under that correlation ID (and originally created incident) and not create new incidents.

Splunk Employee
Splunk Employee


ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...