All Apps and Add-ons

snowincident command not working, its not getting detected as search/spl command

nishad_tupe
Explorer

Hello,

I have installed Service Now Add on App, my service now administrator has followed all the steps needed from the Service now side.
Using the alert action with ServiceNow incident integration works fine and creates incidents in service now. However, we have limited fields that we can define in the ServiceNow alert action like we cannot define field IMPACT and Servicenow auto assigns the impact.

So I wanted to use a custom generating command that gives me flexibility to generate the SeviceNow incident with additional fields as parameters. Here is my search (My alert condition if servers exceed > 90% cpu) raise ServiceNow incident

index=os host=* sourcetype=cpu cpu=all NOT(
[| inputlookup servers.csv
| where status="decom" OR status="complete blacklist" OR status="DC Outage"
| rename target as host
| table host])
| eval PercentCPULoad = 100 - pctIdle
| stats min(PercentCPULoad) as PercentCPULoad by host
| eval hostname=upper(mvindex(split(host,"."),0))
| where PercentCPULoad >= 90
| eval timestamp=strftime(now(),"%Y-%m-%d %H:%M:%S")
| eval Impact = 1
| snowincident --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname

However, this doesn't work and I get below error message.
*Error in 'snowincident' command: This command must be the first command of a search. *

As per Splunk documentation, there certain steps that we need to carry on the ServiceNow server to integrate with Splunk, my SNOW administrator confirmed that he has followed all the steps as per the below documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithS...

Can you please suggest what is missing, for searching I am using the SNOW_TA app the command 'snowincident' is not detected.

0 Karma
1 Solution

spayneort
Contributor

Use the snowincdentstream command instead.

Convert the --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname part of your search to eval statements and then add | snowincdentstream at the end.

Example from above documentation:

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| snowincidentstream

View solution in original post

spayneort
Contributor

Use the snowincdentstream command instead.

Convert the --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname part of your search to eval statements and then add | snowincdentstream at the end.

Example from above documentation:

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| snowincidentstream

nishad_tupe
Explorer

Hello, thanks Spayneort -
Yes, I tried this and it works as expected. Though there is one glitch at least from the ServiceNow implementation side.
I cannot pass certain arguments for e.g. description -> that maps the ServiceNow description field.
ServiceNow TA App Python files come with default parameters and unfortunately not all fields are available.
For e.g., I want to pass the description even if Eval - it doesn't get mapped to the description field in service now because incident_base.py is missing that field any idea how can we pass more custom fields.

0 Karma

spayneort
Contributor

See https://answers.splunk.com/answers/736869 for instructions on adding additional fields.

There is also https://splunkbase.splunk.com/app/4811/. This app does not require the integration to be set up on the ServiceNow side and allows more fields to be used by default.

0 Karma

nishad_tupe
Explorer

Thank you once again, indeed this is a great help. As per the post, https://answers.splunk.com/answers/736869, I am not interested in UI so following the first two steps will give me the required fields right, I don't want to have changes in the HTML since I am not using UI based alert action.

0 Karma

to4kawa
Ultra Champion

try workflow
workflow

0 Karma

nishad_tupe
Explorer

The workflow works for incident data you are bringing from the service now database, where you can have drill down on specific search/report/dashboard and it will open up the ServiceNow incident for details.
Hope this helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...