 
					
				
		
Hello,
I have installed Service Now Add on App, my service now administrator has followed all the steps needed from the Service now side.
Using the alert action with ServiceNow incident integration works fine and creates incidents in service now. However, we have limited fields that we can define in the ServiceNow alert action like we cannot define field IMPACT and Servicenow auto assigns the impact. 
index=os host=* sourcetype=cpu cpu=all NOT( 
    [| inputlookup servers.csv 
    | where status="decom" OR status="complete blacklist" OR status="DC Outage" 
    | rename target as host 
    | table host]) 
| eval PercentCPULoad = 100 - pctIdle 
| stats min(PercentCPULoad) as PercentCPULoad by host 
| eval hostname=upper(mvindex(split(host,"."),0)) 
| where PercentCPULoad >= 90 
| eval timestamp=strftime(now(),"%Y-%m-%d %H:%M:%S") 
| eval Impact = 1 
| snowincident --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname
However, this doesn't work and I get below error message.
*Error in 'snowincident' command: This command must be the first command of a search. *
As per Splunk documentation, there certain steps that we need to carry on the ServiceNow server to integrate with Splunk, my SNOW administrator confirmed that he has followed all the steps as per the below documentation.
Can you please suggest what is missing, for searching I am using the SNOW_TA app the command 'snowincident' is not detected.
Use the snowincdentstream command instead.
Convert the --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname part of your search to eval statements and then add | snowincdentstream at the end.
Example from above documentation:
The following example search creates an incident when CPU usage is 95 or higher.
sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| snowincidentstream
Use the snowincdentstream command instead.
Convert the --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname part of your search to eval statements and then add | snowincdentstream at the end.
Example from above documentation:
The following example search creates an incident when CPU usage is 95 or higher.
sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| snowincidentstream
 
					
				
		
Hello, thanks Spayneort - 
Yes, I tried this and it works as expected. Though there is one glitch at least from the ServiceNow implementation side.
I cannot pass certain arguments for e.g. description -> that maps the ServiceNow description field.
ServiceNow TA App Python files come with default parameters and unfortunately not all fields are available. 
For e.g., I want to pass the description even if Eval - it doesn't get mapped to the description field in service now because incident_base.py is missing that field any idea how can we pass more custom fields. 
See https://answers.splunk.com/answers/736869 for instructions on adding additional fields.
There is also https://splunkbase.splunk.com/app/4811/. This app does not require the integration to be set up on the ServiceNow side and allows more fields to be used by default.
 
					
				
		
Thank you once again, indeed this is a great help. As per the post, https://answers.splunk.com/answers/736869, I am not interested in UI so following the first two steps will give me the required fields right, I don't want to have changes in the HTML since I am not using UI based alert action.
try workflow
workflow
 
					
				
		
The workflow works for incident data you are bringing from the service now database, where you can have drill down on specific search/report/dashboard and it will open up the ServiceNow incident for details.
Hope this helps. 
