All Apps and Add-ons

Why doesn't the Splunk add-on for Service Now's modular alert action annotate incidents with search results?

Yorokobi
SplunkTrust
SplunkTrust

Splunk: 7.2.1
Service Now add-on: 4.0.0
Service Now version: London

I have the add-on deployed to my search head cluster and am able to create incidents in Service Now but the incidents do not contain the search results as expected based on the add-on's documentation (https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usecustomalertactions):

Depending on the search that you save as an alert, the custom alert action might create multiple events or incidents in ServiceNow. This can occur if the search string that you save as an alert returns multiple events. The number of events returned by the search equals the number of incidents or events created in ServiceNow.

I have tested with a multi-column table with dozens of rows as well as with a single column table with only one result. The modular alert does not add the search results to the incident. Nor does it create multiple incidents when the result count is greater than one.

Is the documentation correct but the MA is not behaving as it should or is the documentation incorrect and we should be expected to use the Splunk Drilldown button from now on? The latter is a poor option as SIDs expire too quickly and Splunk alert search results should not be held as a system of record--that's the whole point of creating an incident.

I can add information to an incident with the | snowincident command's "--comments" option but I don't expect my Splunk users to know how to graft search results to a data generating command (that is a significant bit of acrobatics we shouldn't have to do based on the bahaviour expected from the modular alert action).

0 Karma

Yorokobi
SplunkTrust
SplunkTrust

Nor does it create multiple incidents when the result count is greater than one.

I corrected this behaviour by selecting the "For each result" trigger in the alert as noted in the documentation.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...