My ServiceNow instance has custom fields on the Incident form that I need to set when raising an incident from Splunk using the official TA.
How can I do this?
Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:
For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.
1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py
and near the top there is a list of all fields, add the new field like so:
2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py
and add the new field in two places like so:
3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html
and add a new UI element for the field:
(note due to the attachment limit, see the next comment on this question)
After making changes/editing to step 1,2,3 files. what is the step by step way to see the changes as indicated in the picture above?
This post is invaluable! Many thanks for this article.
Regards,
Hans
Excellent! Although your step 1 and step 2 images didn't post. I know it's been over several months since this post. Would you be able to upload step 1 and 2 images? Thanks
Thank you 🙂
(continued from other answer)
4) Now restart your search head and you should see the new field in the alert action UI:
5) Trigger the alert to make the REST call to ServiceNow. You should now go see your friendly ServiceNow administrator and ask them to please updating the Mapping in the Splunk transform table to map the new field to the equivalent field on the Incident form. Its a couple of clicks which hopefully they can do for you on the spot. I think the table with the mapping is x_splu2_splunk_ser_u_splunk_incident
but if they already installed the app or updateset for you, then they should be able to find it pretty easily.
Hope this helps others, please upvote if it is useful to you!
Thanks for posting all of this information. I have made all of these changes and the ServiceNow admin has done the mapping, however when I try to adhoc invoke the incident creation I receive the following error:
""ServiceNow Incident Integration" could not be dispatched:
ModularActionException: Invalid parameter for adhoc modular action"
I've been struggling with this for days and cannot find a solution. Any ideas?
I am also not able to see above both images. Tried different browsers 😞
Thank you for posting this I would like to give this a try. The two screenshots you added are not available. Can you try uploading them again?
Thank you.
OK Done. I had to put them on a third-party site so hopeful corporate firewalls don't block them
Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:
For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.
1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py
and near the top there is a list of all fields, add the new field like so:
2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py
and add the new field in two places like so:
3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html
and add a new UI element for the field:
(note due to the attachment limit, see the next comment on this question)
The below steps will help you to add any custom fields of Service now TA latest app. The official TA app doesn’t come along with the description field, and we have to manually configure the same.
I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the Deployer and push from there.
Thank you, I managed to make it work on my Splunk instance thanks to you input. This is really valuable article.