All Apps and Add-ons

Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

SplunkTrust
SplunkTrust

Hi All!

I am looking for best practices around how to update the Splunk Add-on for ServiceNow to populate custom mandatory fields in an Incident only. To create a new parameter (e.g. action.snow_incident.param.<custom field>), the most notable files to update that I can see are the following:

  1. snow_incident_base.py
  2. snow_incident_m.py
  3. eventgen.conf
  4. updating/ creating CSVs under /samples (may not be necessary, but would update here to be consistent)
  5. snow_incident.html for front end interaction with workflow actions

Are there other scripts or.conf files out there that need to be updated in order to make this successful on either the Splunk or ServiceNow side?

Thanks in advance!

1 Solution

SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

View solution in original post

SplunkTrust
SplunkTrust
0 Karma

SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

View solution in original post

Splunk Employee
Splunk Employee

Integration works as follows: when incident data hits SNOW, it is first entered into an interstitial table "Splunk Incident".
Therefore to make this work you will need to adjust that table definition on the SNOW side. (This is part of the "Splunk Integration" SNOW app.
Then you will need to change a few files, depending on the type of action you want to use (alert has custom UI, for example).

With the above said, let me ask you this:
- can you include this data in the description field?
- can you set these fields using custom workflow on the SNOW side?

0 Karma

SplunkTrust
SplunkTrust

Hi! The answer should be yes to both of your questions.

0 Karma

Ultra Champion

Trying to help but out of my knowledge realm. Was there no good documentation on this type of thang? Or was there a specific docs page that got you close that's worth highlighting for context?

0 Karma

SplunkTrust
SplunkTrust

Nah, aint no thang. This page is helpful but doesn't quite get me there with customizing:

http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomalertactions

What I have listed above is almost there. The behavior I see after adding to the above scripts and files is - Incidents are created, but seem to be stored behind the scenes. What I mean by this is after I revert back to the orig scripts, all of the INC that were created using the new ones appear in Service-Now. I poked around in the Splunk App for ServiceNow, but I don't see anything that appears to need updating for populating custom fields, although I may have overlooked something.

0 Karma

Ultra Champion

Cool. Thanks for adding that context and what helped. Lemme see what other eyes I can get on this.

0 Karma

SplunkTrust
SplunkTrust

Hey - did you happen to hear back from anyone on this?

0 Karma

Ultra Champion

Peek at the response from @mreynov. There's no one more qualified 😉

0 Karma

SplunkTrust
SplunkTrust

Thank you!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!