All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

getting error while adding custom fields in Splunk Add-on for ServiceNow

fisuser1
Contributor
‎07-30-2019 08:59 AM

getting the following while adding custom fields for the Splunk Add-on for ServiceNow. Alerts still appear to open incidents as expected, however error is occurring an not passing values. I've followed the following but still getting the errror.

Any suggestions?

2019-07-30 15:35:04,446 ERROR pid=109532 tid=MainThread file=snow_ticket.py:_do_event:124 | Failed to connect to https://atyourserviceportaldev2.service-now.com/api/now/table/x_splu2_splunk_ser_u_splunk_incident, error=Traceback (most recent call last):
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 120, in _do_event
result = self._handle_response(response, content)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 208, in _handle_response
result = self._get_result(resp)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_incident_base.py", line 75, in _get_result
"Caller": resp["caller_id"],
KeyError: 'caller_id'

edits in snow_incident_base.py

" # (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), ("caller_id", "splunk"),
("priority", "4"), ("assignment_group", ""))

" res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"]," "

0 Karma
Reply

fisuser1
Contributor
‎07-30-2019 09:04 AM

adding the entire script for reference:

import uuid
import time
import os
import snow_ticket as st
class SnowIncidentBase(st.SnowTicket):
def _prepare_data(self, event):
event_data = {}
url = os.environ.get("SPLUNK_ARG_6", "")
# (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), *("caller_id", "splunk"),**
("priority", "4"), ("assignment_group", ""))
for field, default_val in fields:
val = event.get(field, default_val)
if val is None:
msg = ('Field "{}" is required by ServiceNow to '
'create incident').format(field)
self.logger.error(msg)
self._handle_error(msg)
return None
event_data[field] = val
if "ciIdentifier" in event:
ci_ident = event["ciIdentifier"]
elif "ciidentifier" in event:
ci_ident = event["ciidentifier"]
else:
ci_ident = event.get("ci_identifier", "")
event_data["configuration_item"] = ci_ident
if not event_data["correlation_id"].strip():
event_data["correlation_id"] = self._get_correlation_id(event)
self.logger.debug("event_data=%s", event_data)
return event_data
def _get_correlation_id(self, event):
return uuid.uuid1(clock_seq=int(time.time())).hex
def _get_table(self):
return "x_splu2_splunk_ser_u_splunk_incident"
def _get_ticket_link(self, sys_id):
link = "{}incident.do?sysparm_query=correlation_id={}".format(
self.snow_account["url"], sys_id)
return link
def _get_result(self, resp):
res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"],
}
return res*

0 Karma
Reply

jscraig2006
Communicator
‎08-07-2019 02:53 PM

Did you add the mapping of the new field to the Service Now Splunk table x_splu2_splunk_ser_u_splunk_incident?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top