Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Alerts generated through Service now incident..

vijreddy30
Loves-to-Learn Everything
‎12-25-2023 12:28 AM

Hi Team,

In my requirement, if any splunk servers are got failed, need to be generated Services now incidents need to be created automatically...

 

How do we write the query and how do we configure Service now incidents, please help me 

 

 

Labels (2)
Labels
0 Karma
Reply

vijreddy30
Loves-to-Learn Everything
‎12-27-2023 12:21 AM

Hi Team,

 

I am trying to below query, it showing the all servers are up, I tested one server stopped and checked  it's not showing Down status, please fine the below query

index="_internal"
| eval host=lower(host)
| stats count BY host
| append [ | eval host=lower(host) ]
| eval status=if(total=0,"Down","up")
| table host status

 

Please letme know exact query on that.

0 Karma
Reply

marnall
Motivator
‎12-25-2023 03:12 PM

You would probably find the splunk Add-on for ServiceNow useful: https://splunkbase.splunk.com/app/1928

As for the query, you could compare the list of splunk server names active now versus the servers active a few days ago. e.g.

index=_internal host="*splunknamescheme*" OR host IN (splunkserver1, splunkserver2) earliest=-3d latest=-2d 
| dedup host 
| table host
| search NOT [search index=_internal host="*splunknamescheme*" OR host IN (splunkserver1, splunkserver2) earliest=-1d
| dedup host 
| table host]

 Then you can add an Alert Action to the alert and make it create an incident: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usecustomalertactions

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...