Splunk Dev

How do you send Splunk search results to a ServiceNow table?

loganwilcox
Engager

I have some data in Splunk that I would like to send over to a custom ServiceNow table for record creation. Right now, I am trying to do this with a custom search command that invokes a Python script. The Python script makes a REST API post request to the ServiceNow table.

The script is making contact with the ServiceNow table, but I am having trouble sending actual field values from the Splunk search results to the ServiceNow table. For example, my Splunk search results contain fields such as "asset ip address" "asset name" "cve", and I would like to send the field values for each of those fields to the matching columns in the ServiceNow table. If anyone knows how to send actual field values from search results to a SNOW table using a custom search command / python script, your assistance would be greatly appreciated.

Here is the script I have been trying:

#Need to install requests package for python
#easy_install requests
import requests
import math
import csv
import sys
import re
import time
import splunk.Intersplunk

#Test 1
# Custom streaming command to pass events
 def customcommand(results):
    try:

      for result in results:
        u_asset_ip_address = result['Asset IP Address']
        u_asset_names = result['Asset Names']
        u_asset_os_name = result['Asset OS Name']
        u_asset_risk_score = result['Asset Risk Score']
        u_exploit_count = result['Exploit Count']
        u_malware_kit_count = result['Malware Kit Count']
        u_service_name = result['Service Name']
        u_service_port = result['Service Port']
        u_service_product = result['Service Product']
        u_service_protocol = result['Service Protocol']
        u_site_names = result['Site Name']
        u_vulnerability_age = result['Vulnerability Age']
        u_vulnerability_cve_ids = result['Vulnerability CVE IDs']
        u_vulnerability_cvssv3_score = result['Vulnerability CVSSv3 Score']
        u_vulnerability_id = result['Vulnerability ID']
        u_vulnerability_proof = result['Vulnerability Proof'']
        u_vulnerability_risk_score = result['Vulnerability Risk Score']
        u_vulnerability_reference_ids = result['Vulnerability Reference IDs']
        u_vulnerability_severity_level = result['Vulnerability Severity Level']
        u_vulnerability_title = result['Vulnerability Title']
        u_vulnerable_since = result['Vulnerable Since']

    except:
        import traceback
        stack =  traceback.format_exc()

# Get the events from splunk
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
# Send the events to be worked on
results = customcommand(results)

# Set the request parameters
url = 'https://<url>/api/now/import/u_splunk_vulnerability_import'

# Eg. User name="admin", Password="admin" for this code sample.
user = 'user'
pwd = 'pass'

# Set proper headers
headers = {"Content-Type":"application/json","Accept":"application/json"}

# Do the HTTP request
response = requests.post(url, auth=(user, pwd), headers=headers ,data="{\"u_asset_ip_address\":\"'{u_asset_ip_address}'\",\"u_asset_names\":\"'{u_asset_names}'\",\"u_asset_os_name\":\"'{u_asset_os_name}'\",\"u_asset_risk_score\":\"'{u_asset_risk_score}'\",\"u_exploit_count\":\"'{u_exploit_count}'\",\"u_malware_kit_count\":\"'{u_malware_kit_count}'\",\"u_service_name\":\"'{u_service_name}'\",\"u_service_port\":\"'{u_service_port}'\",\"u_service_product\":\"'{u_service_product}'\",\"u_service_protocol\":\"'{u_service_protocol}'\",\"u_site_names\":\"'{u_site_names}'\",\"u_vulnerability_age\":\"'{u_vulnerability_age}'\",\"u_vulnerability_cve_ids\":\"'{u_vulnerability_cve_ids}'\",\"u_vulnerability_cvssv3_score\":\"'{u_vulnerability_cvssv3_score}'\",\"u_vulnerability_id\":\"'{u_vulnerability_id}'\",\"u_vulnerability_proof\":\"'{u_vulnerability_proof}'\",\"u_vulnerability_reference_ids\":\"'{u_vulnerability_reference_ids}'\",\"u_vulnerability_risk_score\":\"'{u_vulnerability_risk_score}'\",\"u_vulnerability_severity_level\":\"'{u_vulnerability_severity_level}'\",\"u_vulnerability_title\":\"'{u_vulnerability_title}'\",\"u_vulnerable_since\":\"'{u_vulnerable_since}'\",\"sys_target_table\":\"\"}")

# Check for HTTP codes other than 200
if response.status_code != 200: 
print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.json())
exit()

# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)
Labels (2)

lijuj
Explorer
#Need to install requests package for python
#easy_install requests
import requests

# Set the request parameters
url = 'https://xxxxx.service-now.com/api/now/table/u_splunk_vulnerability_import'

# Eg. User name="admin", Password="admin" for this code sample.
user = 'admin'
pwd = 'admin'

# Set proper headers
headers = {"Content-Type":"application/json","Accept":"application/json"}

# Do the HTTP request
response = requests.post(url, auth=(user, pwd), headers=headers ,data="{\"description\":\"Test desc\",\"state\":\"3\",\"impact\":\"4\",\"priority\":\"3\"}")

# Check for HTTP codes other than 200
if response.status_code != 200: 
    print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.json())
    exit()

# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)

loganwilcox
Engager

I understand that this is the basic format for sending data, but this does not accomplish my goal of sending field values from a search. I want to send field values for each search result to the matching column in my servicenow table.

0 Karma

suser2019
Explorer

were you able to figure out how to send field values from search to servicenow incident table?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...