All Apps and Add-ons

getting error while adding custom fields in Splunk Add-on for ServiceNow

fisuser1
Contributor

getting the following while adding custom fields for the Splunk Add-on for ServiceNow. Alerts still appear to open incidents as expected, however error is occurring an not passing values. I've followed the following but still getting the errror.

Any suggestions?

2019-07-30 15:35:04,446 ERROR pid=109532 tid=MainThread file=snow_ticket.py:_do_event:124 | Failed to connect to https://atyourserviceportaldev2.service-now.com/api/now/table/x_splu2_splunk_ser_u_splunk_incident, error=Traceback (most recent call last):
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 120, in _do_event
result = self._handle_response(response, content)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 208, in _handle_response
result = self._get_result(resp)
File "/data/splunk/etc/apps/Splunk_TA_snow/bin/snow_incident_base.py", line 75, in _get_result
"Caller": resp["caller_id"],
KeyError: 'caller_id'

edits in snow_incident_base.py

" # (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), ("caller_id", "splunk"),
("priority", "4"), ("assignment_group", ""))

" res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"]," "

0 Karma

fisuser1
Contributor

adding the entire script for reference:

import uuid
import time
import os
import snow_ticket as st
class SnowIncidentBase(st.SnowTicket):
def _prepare_data(self, event):
event_data = {}
url = os.environ.get("SPLUNK_ARG_6", "")
# (field_name, default_value)
fields = (("category", None), ("short_description", None),
("contact_type", None), ("splunk_url", url), ("urgency", ""),
("subcategory", ""), ("state", "4"), ("comments", ""),
("location", ""), ("impact", "3"),
("correlation_id", ""), *
("caller_id", "splunk"),**
("priority", "4"), ("assignment_group", ""))
for field, default_val in fields:
val = event.get(field, default_val)
if val is None:
msg = ('Field "{}" is required by ServiceNow to '
'create incident').format(field)
self.logger.error(msg)
self._handle_error(msg)
return None
event_data[field] = val
if "ciIdentifier" in event:
ci_ident = event["ciIdentifier"]
elif "ciidentifier" in event:
ci_ident = event["ciidentifier"]
else:
ci_ident = event.get("ci_identifier", "")
event_data["configuration_item"] = ci_ident
if not event_data["correlation_id"].strip():
event_data["correlation_id"] = self._get_correlation_id(event)
self.logger.debug("event_data=%s", event_data)
return event_data
def _get_correlation_id(self, event):
return uuid.uuid1(clock_seq=int(time.time())).hex
def _get_table(self):
return "x_splu2_splunk_ser_u_splunk_incident"
def _get_ticket_link(self, sys_id):
link = "{}incident.do?sysparm_query=correlation_id={}".format(
self.snow_account["url"], sys_id)
return link
def _get_result(self, resp):
res = {
"Incident Number": resp["number"],
"Created": resp["sys_created_on"],
"Priority": resp["priority"],
"Updated": resp["sys_updated_on"],
"Short description": resp["short_description"],
"Category": resp["category"],
"Contact Type": resp["contact_type"],
"ciIdentifier": resp["configuration_item"],
"State": resp["state"],
"Sys Id": resp["sys_id"],
"Incident Link": self._get_ticket_link(resp["correlation_id"]),
"Correlation ID": resp["correlation_id"],
"Splunk URL": resp["splunk_url"],
"Caller": resp["caller_id"],
}
return res*

0 Karma

jscraig2006
Communicator

Did you add the mapping of the new field to the Service Now Splunk table x_splu2_splunk_ser_u_splunk_incident?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...