All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

getting error while adding custom fields in Splunk Add-on for ServiceNow

fisuser1
Contributor
‎07-30-2019 08:59 AM

getting the following while adding custom fields for the Splunk Add-on for ServiceNow. Alerts still appear to open incidents as expected, however error is occurring an not passing values. I've followed the following but still getting the errror.

Any suggestions?

2019-07-30 15:35:04,446 ERROR pid=109532 tid=MainThread file=snow_ticket.py:_do_event:124 | Failed to connect to https://atyourserviceportaldev2.service-now.com/api/now/table/x_splu2_splunk_ser_u_splunk_incident, error=Traceback (most recent call last):
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 120, in _do_event
result = self._handle_response(response, content)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 208, in _handle_response
result = self._get_result(resp)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_incident_base.py", line 75, in _get_result
"Caller": resp["caller_id"],
KeyError: 'caller_id'

edits in snow_incident_base.py

" # (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), ("caller_id", "splunk"),
("priority", "4"), ("assignment_group", ""))

" res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"]," "

0 Karma
Reply

fisuser1
Contributor
‎07-30-2019 09:04 AM

adding the entire script for reference:

import uuid
import time
import os
import snow_ticket as st
class SnowIncidentBase(st.SnowTicket):
def _prepare_data(self, event):
event_data = {}
url = os.environ.get("SPLUNK_ARG_6", "")
# (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), *("caller_id", "splunk"),**
("priority", "4"), ("assignment_group", ""))
for field, default_val in fields:
val = event.get(field, default_val)
if val is None:
msg = ('Field "{}" is required by ServiceNow to '
'create incident').format(field)
self.logger.error(msg)
self._handle_error(msg)
return None
event_data[field] = val
if "ciIdentifier" in event:
ci_ident = event["ciIdentifier"]
elif "ciidentifier" in event:
ci_ident = event["ciidentifier"]
else:
ci_ident = event.get("ci_identifier", "")
event_data["configuration_item"] = ci_ident
if not event_data["correlation_id"].strip():
event_data["correlation_id"] = self._get_correlation_id(event)
self.logger.debug("event_data=%s", event_data)
return event_data
def _get_correlation_id(self, event):
return uuid.uuid1(clock_seq=int(time.time())).hex
def _get_table(self):
return "x_splu2_splunk_ser_u_splunk_incident"
def _get_ticket_link(self, sys_id):
link = "{}incident.do?sysparm_query=correlation_id={}".format(
self.snow_account["url"], sys_id)
return link
def _get_result(self, resp):
res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"],
}
return res*

0 Karma
Reply

jscraig2006
Communicator
‎08-07-2019 02:53 PM

Did you add the mapping of the new field to the Service Now Splunk table x_splu2_splunk_ser_u_splunk_incident?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...