All Apps and Add-ons

Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias
SplunkTrust
SplunkTrust

Hi All!

I am looking for best practices around how to update the Splunk Add-on for ServiceNow to populate custom mandatory fields in an Incident only. To create a new parameter (e.g. action.snow_incident.param.<custom field>), the most notable files to update that I can see are the following:

  1. snow_incident_base.py
  2. snow_incident_m.py
  3. eventgen.conf
  4. updating/ creating CSVs under /samples (may not be necessary, but would update here to be consistent)
  5. snow_incident.html for front end interaction with workflow actions

Are there other scripts or.conf files out there that need to be updated in order to make this successful on either the Splunk or ServiceNow side?

Thanks in advance!

1 Solution

_gkollias
SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

View solution in original post

_gkollias
SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

mreynov_splunk
Splunk Employee
Splunk Employee

Integration works as follows: when incident data hits SNOW, it is first entered into an interstitial table "Splunk Incident".
Therefore to make this work you will need to adjust that table definition on the SNOW side. (This is part of the "Splunk Integration" SNOW app.
Then you will need to change a few files, depending on the type of action you want to use (alert has custom UI, for example).

With the above said, let me ask you this:
- can you include this data in the description field?
- can you set these fields using custom workflow on the SNOW side?

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hi! The answer should be yes to both of your questions.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Trying to help but out of my knowledge realm. Was there no good documentation on this type of thang? Or was there a specific docs page that got you close that's worth highlighting for context?

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Nah, aint no thang. This page is helpful but doesn't quite get me there with customizing:

http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomalertactions

What I have listed above is almost there. The behavior I see after adding to the above scripts and files is - Incidents are created, but seem to be stored behind the scenes. What I mean by this is after I revert back to the orig scripts, all of the INC that were created using the new ones appear in Service-Now. I poked around in the Splunk App for ServiceNow, but I don't see anything that appears to need updating for populating custom fields, although I may have overlooked something.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Cool. Thanks for adding that context and what helped. Lemme see what other eyes I can get on this.

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hey - did you happen to hear back from anyone on this?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Peek at the response from @mreynov. There's no one more qualified 😉

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Thank you!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...