All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias
Builder
‎05-10-2018 07:31 AM

Hi All!

I am looking for best practices around how to update the Splunk Add-on for ServiceNow to populate custom mandatory fields in an Incident only. To create a new parameter (e.g. action.snow_incident.param.<custom field>), the most notable files to update that I can see are the following:

  1. snow_incident_base.py
  2. snow_incident_m.py
  3. eventgen.conf
  4. updating/ creating CSVs under /samples (may not be necessary, but would update here to be consistent)
  5. snow_incident.html for front end interaction with workflow actions

Are there other scripts or.conf files out there that need to be updated in order to make this successful on either the Splunk or ServiceNow side?

Thanks in advance!

Reply
1 Solution
Solved! Jump to solution
Solution

_gkollias
Builder
‎01-10-2019 03:02 PM

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

View solution in original post

Reply
Solved! Jump to solution
Solution

_gkollias
Builder
‎01-10-2019 03:02 PM

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎05-16-2018 12:36 PM

Integration works as follows: when incident data hits SNOW, it is first entered into an interstitial table "Splunk Incident".
Therefore to make this work you will need to adjust that table definition on the SNOW side. (This is part of the "Splunk Integration" SNOW app.
Then you will need to change a few files, depending on the type of action you want to use (alert has custom UI, for example).

With the above said, let me ask you this:
- can you include this data in the description field?
- can you set these fields using custom workflow on the SNOW side?

0 Karma
Reply
Solved! Jump to solution

_gkollias
Builder
‎11-06-2018 08:04 AM

Hi! The answer should be yes to both of your questions.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎05-14-2018 05:55 PM

Trying to help but out of my knowledge realm. Was there no good documentation on this type of thang? Or was there a specific docs page that got you close that's worth highlighting for context?

0 Karma
Reply
Solved! Jump to solution

_gkollias
Builder
‎05-15-2018 07:10 AM

Nah, aint no thang. This page is helpful but doesn't quite get me there with customizing:

http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomalertactions

What I have listed above is almost there. The behavior I see after adding to the above scripts and files is - Incidents are created, but seem to be stored behind the scenes. What I mean by this is after I revert back to the orig scripts, all of the INC that were created using the new ones appear in Service-Now. I poked around in the Splunk App for ServiceNow, but I don't see anything that appears to need updating for populating custom fields, although I may have overlooked something.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎05-16-2018 08:51 AM

Cool. Thanks for adding that context and what helped. Lemme see what other eyes I can get on this.

0 Karma
Reply
Solved! Jump to solution

_gkollias
Builder
‎06-19-2018 01:01 PM

Hey - did you happen to hear back from anyone on this?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎06-20-2018 06:00 AM

Peek at the response from @mreynov. There's no one more qualified 😉

0 Karma
Reply
Solved! Jump to solution

_gkollias
Builder
‎05-16-2018 09:02 AM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top