All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: getting error while adding custom fields in Sp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
getting error while adding custom fields in Splunk Add-on for ServiceNow
fisuser1
Contributor
07-30-2019
08:59 AM
getting the following while adding custom fields for the Splunk Add-on for ServiceNow. Alerts still appear to open incidents as expected, however error is occurring an not passing values. I've followed the following but still getting the errror.
Any suggestions?
2019-07-30 15:35:04,446 ERROR pid=109532 tid=MainThread file=snow_ticket.py:_do_event:124 | Failed to connect to https://atyourserviceportaldev2.service-now.com/api/now/table/x_splu2_splunk_ser_u_splunk_incident, error=Traceback (most recent call last):
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 120, in _do_event
result = self._handle_response(response, content)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 208, in _handle_response
result = self._get_result(resp)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_incident_base.py", line 75, in _get_result
"Caller": resp["caller_id"],
KeyError: 'caller_id'
edits in snow_incident_base.py
" # (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), ("caller_id", "splunk"),
("priority", "4"), ("assignment_group", ""))
" res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"]," "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fisuser1
Contributor
07-30-2019
09:04 AM
adding the entire script for reference:
import uuid
import time
import os
import snow_ticket as st
class SnowIncidentBase(st.SnowTicket):
def _prepare_data(self, event):
event_data = {}
url = os.environ.get("SPLUNK_ARG_6", "")
# (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), *("caller_id", "splunk"),**
("priority", "4"), ("assignment_group", ""))
for field, default_val in fields:
val = event.get(field, default_val)
if val is None:
msg = ('Field "{}" is required by ServiceNow to '
'create incident').format(field)
self.logger.error(msg)
self._handle_error(msg)
return None
event_data[field] = val
if "ciIdentifier" in event:
ci_ident = event["ciIdentifier"]
elif "ciidentifier" in event:
ci_ident = event["ciidentifier"]
else:
ci_ident = event.get("ci_identifier", "")
event_data["configuration_item"] = ci_ident
if not event_data["correlation_id"].strip():
event_data["correlation_id"] = self._get_correlation_id(event)
self.logger.debug("event_data=%s", event_data)
return event_data
def _get_correlation_id(self, event):
return uuid.uuid1(clock_seq=int(time.time())).hex
def _get_table(self):
return "x_splu2_splunk_ser_u_splunk_incident"
def _get_ticket_link(self, sys_id):
link = "{}incident.do?sysparm_query=correlation_id={}".format(
self.snow_account["url"], sys_id)
return link
def _get_result(self, resp):
res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"],
}
return res*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jscraig2006
Communicator
08-07-2019
02:53 PM
Did you add the mapping of the new field to the Service Now Splunk table x_splu2_splunk_ser_u_splunk_incident?
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
