All Apps and Add-ons

Splunk App for ServiceNow incident state

wegscd
Contributor

I brought up the Splunk App for ServiceNow on Friday in a teset app, let it chug away over the weekend to get the data extracted from Service Now over the weekend.

Went to run the the reports, and all incidents are showing up as "Open". Dug into it, and our Service Now instance keeps all incidents with incident_state=1; as the tickets are worked, there is a different field "state" that is changing.

Is this something specific to our Service Now implementation, or has someone else seen this?

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

I have seen some snow implementations use state field and others use state_incident. We might need to change the default to be using state field to represent the status of the incident instead - in the meantime you can fix the behavior in your environment by applying the lookup to the state field (do it under local/ props.conf)
[snow:incident]
LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name

wegscd
Contributor

The fix is a lot more pervasive than that; there are also queries in the dashboards that need fixing. Right now I'm trying to determine if this is something our ServiceNow folks have done to us, and if anyone else has seen the problem.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

There is a business rule that does the sync between the two fields. You might want to check this:
https://community.servicenow.com/message/801220?_ga=1.84815579.354472655.1430263836#801220

0 Karma

wegscd
Contributor

checking with my ServiceNow guy; I think that rule is broken/turned off; incident_state is sticking at '1'.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...