All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

getting error while adding custom fields in Splunk Add-on for ServiceNow

fisuser1
Contributor
‎07-30-2019 08:59 AM

getting the following while adding custom fields for the Splunk Add-on for ServiceNow. Alerts still appear to open incidents as expected, however error is occurring an not passing values. I've followed the following but still getting the errror.

Any suggestions?

2019-07-30 15:35:04,446 ERROR pid=109532 tid=MainThread file=snow_ticket.py:_do_event:124 | Failed to connect to https://atyourserviceportaldev2.service-now.com/api/now/table/x_splu2_splunk_ser_u_splunk_incident, error=Traceback (most recent call last):
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 120, in _do_event
result = self._handle_response(response, content)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 208, in _handle_response
result = self._get_result(resp)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_incident_base.py", line 75, in _get_result
"Caller": resp["caller_id"],
KeyError: 'caller_id'

edits in snow_incident_base.py

" # (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), ("caller_id", "splunk"),
("priority", "4"), ("assignment_group", ""))

" res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"]," "

0 Karma
Reply

fisuser1
Contributor
‎07-30-2019 09:04 AM

adding the entire script for reference:

import uuid
import time
import os
import snow_ticket as st
class SnowIncidentBase(st.SnowTicket):
def _prepare_data(self, event):
event_data = {}
url = os.environ.get("SPLUNK_ARG_6", "")
# (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), *("caller_id", "splunk"),**
("priority", "4"), ("assignment_group", ""))
for field, default_val in fields:
val = event.get(field, default_val)
if val is None:
msg = ('Field "{}" is required by ServiceNow to '
'create incident').format(field)
self.logger.error(msg)
self._handle_error(msg)
return None
event_data[field] = val
if "ciIdentifier" in event:
ci_ident = event["ciIdentifier"]
elif "ciidentifier" in event:
ci_ident = event["ciidentifier"]
else:
ci_ident = event.get("ci_identifier", "")
event_data["configuration_item"] = ci_ident
if not event_data["correlation_id"].strip():
event_data["correlation_id"] = self._get_correlation_id(event)
self.logger.debug("event_data=%s", event_data)
return event_data
def _get_correlation_id(self, event):
return uuid.uuid1(clock_seq=int(time.time())).hex
def _get_table(self):
return "x_splu2_splunk_ser_u_splunk_incident"
def _get_ticket_link(self, sys_id):
link = "{}incident.do?sysparm_query=correlation_id={}".format(
self.snow_account["url"], sys_id)
return link
def _get_result(self, resp):
res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"],
}
return res*

0 Karma
Reply

jscraig2006
Communicator
‎08-07-2019 02:53 PM

Did you add the mapping of the new field to the Service Now Splunk table x_splu2_splunk_ser_u_splunk_incident?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...