All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ServiceNow TA snowincident action for Episode and correlation_id

Schroeder
Path Finder
‎12-01-2025 03:23 AM

Hi community!

when using the snowincident action with the NEAP the correlation_id of the created or updated incident is the Episode group id "itsi_group_id" which makes sense as the TA adds the link to the incident for a newly created incident in the ITSI ticketing lookup.

In our case the Episode creates an alert in ITOM Health via the snowevent action, once the alert is created it is added to the ITSI ticketing lookup via a custom command. For alerts we drive the message key field in ITOM health the keep the Episode and alert together.

When an incident is created in ITOM Health we also add the incident to the Episode. Now, the issue is that we cannot make the snowincident action to use the correlation_id to work. It always takes the itsi_group_id. We tried changing the stanza in the notable_events_actions.conf but this is ignored. We do not even know if it would have unwanted side effects as it is recommended to not change that setting.

From the stanza:
correlation_value_for_group = $result.correlation_id$

In case this is not possible to configure, where is the place in the snowincident.py, snow_ticket.py to best drive the payload send to ServiceNow incident table so that it takes the correlation_id from the params and keeps the itsi_group_id for the rest?

As a workaround I have started building an alert action using the incident table endpoint together with the sys_id of the incident.

Thank for your help

Peter

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Schroeder
Path Finder
a month ago

In the end it was more simple than I thought. I just added the key/value pair correlation_id=$result.itsi_group_id" to additional info for the snow_event action:

Schroeder_0-1765282938998.png

Then the business rule "Splunk Events Forward" in ServiceNow as part of the Splunk ServiceNow adapter updates a created incident with the correlation_id. 

Same works for the Episodes URL, just add url=https://123.abc.com/en-US/app/itsi/itsi_event_management?earliest=$result.itsi_earliest_event_time$&...
and the same business rule will add the link to the incident.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Schroeder
Path Finder
a month ago

In the end it was more simple than I thought. I just added the key/value pair correlation_id=$result.itsi_group_id" to additional info for the snow_event action:

Schroeder_0-1765282938998.png

Then the business rule "Splunk Events Forward" in ServiceNow as part of the Splunk ServiceNow adapter updates a created incident with the correlation_id. 

Same works for the Episodes URL, just add url=https://123.abc.com/en-US/app/itsi/itsi_event_management?earliest=$result.itsi_earliest_event_time$&...
and the same business rule will add the link to the incident.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...