All Apps and Add-ons

ServiceNow Incident Integration: How to create/update incident using alert

apujari
Explorer

I am using ServiceNow Incident Integration add-on to create/update incidents in ServiceNow. I have two alerts that runs on certain search conditions, alert_create_incident to create a new incident and alert_update_incident to close the incident. I am using the Correlation ID field for this and is working fine. Now the issue is with the Correlation ID set and the alert_create_incident runs next, it does not create a new incident but updates the previously closed incident state to new. I thought of running a script as alert action but end up with same situation: to set a dynamic correlation id for both the alerts.

Is there a way to generate the Correlation ID dynamically for each pair of create and update alerts. Any help/suggestions would be appreciated. Thanks

0 Karma

saroj_gharat
New Member

Were you able to resolve this ? We are planning to use Cor-relation id to update the same incident. But we do not want a closed incident to be opened again. @apujari 

0 Karma

ramganeshn
Explorer

Nope. I am not able to resolve this. I am using the same correlation ID. Still, a new incident is getting created every time. Any help on this is much appreciated.

0 Karma

ramganeshn
Explorer

Hi, I have a requirement to update an incident that had been created. Every time, my alert gets triggered, it gets a new incident created in ServiceNow. I would like to get some clarity here as to whether I can be able to close an incident once it is created or can I be able to update some comments or update status or update description/short description. Please help me with the steps or process to be followed in updating an incident.

I am trying to update an incident that was created by an alert action from Splunk ITSI. But, every time the alert gets triggered, a new incident is getting created instead of updating the existing incident. I tried everything mentioned in the link given below:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts#Update_behavior_...

Please guide as to what needs to be done to update a previously created incident? Should I need to get the status of the incident from ServiceNow and use that in the search query when I try to update the incident? 

Thanks!

0 Karma

kpanchal_splunk
Splunk Employee
Splunk Employee

@apujari 

ServiceNow add-on searches the incident based on its Correlation ID. Hence, the issue you are facing (re-opening the same incident) might be caused because you used a static correlation ID which refers to the same incident every time.

In order to create a new incident every time, you should use some unique field from your event in the Correlation ID. This will allow the ServiceNow add-on to create a new incident and prevent re-opening your closed incident

Hope this helps

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...