Splunk Dev

How do you send Splunk search results to a ServiceNow table?

loganwilcox
Engager

I have some data in Splunk that I would like to send over to a custom ServiceNow table for record creation. Right now, I am trying to do this with a custom search command that invokes a Python script. The Python script makes a REST API post request to the ServiceNow table.

The script is making contact with the ServiceNow table, but I am having trouble sending actual field values from the Splunk search results to the ServiceNow table. For example, my Splunk search results contain fields such as "asset ip address" "asset name" "cve", and I would like to send the field values for each of those fields to the matching columns in the ServiceNow table. If anyone knows how to send actual field values from search results to a SNOW table using a custom search command / python script, your assistance would be greatly appreciated.

Here is the script I have been trying:

#Need to install requests package for python
#easy_install requests
import requests
import math
import csv
import sys
import re
import time
import splunk.Intersplunk

#Test 1
# Custom streaming command to pass events
 def customcommand(results):
    try:

      for result in results:
        u_asset_ip_address = result['Asset IP Address']
        u_asset_names = result['Asset Names']
        u_asset_os_name = result['Asset OS Name']
        u_asset_risk_score = result['Asset Risk Score']
        u_exploit_count = result['Exploit Count']
        u_malware_kit_count = result['Malware Kit Count']
        u_service_name = result['Service Name']
        u_service_port = result['Service Port']
        u_service_product = result['Service Product']
        u_service_protocol = result['Service Protocol']
        u_site_names = result['Site Name']
        u_vulnerability_age = result['Vulnerability Age']
        u_vulnerability_cve_ids = result['Vulnerability CVE IDs']
        u_vulnerability_cvssv3_score = result['Vulnerability CVSSv3 Score']
        u_vulnerability_id = result['Vulnerability ID']
        u_vulnerability_proof = result['Vulnerability Proof'']
        u_vulnerability_risk_score = result['Vulnerability Risk Score']
        u_vulnerability_reference_ids = result['Vulnerability Reference IDs']
        u_vulnerability_severity_level = result['Vulnerability Severity Level']
        u_vulnerability_title = result['Vulnerability Title']
        u_vulnerable_since = result['Vulnerable Since']

    except:
        import traceback
        stack =  traceback.format_exc()

# Get the events from splunk
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
# Send the events to be worked on
results = customcommand(results)

# Set the request parameters
url = 'https://<url>/api/now/import/u_splunk_vulnerability_import'

# Eg. User name="admin", Password="admin" for this code sample.
user = 'user'
pwd = 'pass'

# Set proper headers
headers = {"Content-Type":"application/json","Accept":"application/json"}

# Do the HTTP request
response = requests.post(url, auth=(user, pwd), headers=headers ,data="{\"u_asset_ip_address\":\"'{u_asset_ip_address}'\",\"u_asset_names\":\"'{u_asset_names}'\",\"u_asset_os_name\":\"'{u_asset_os_name}'\",\"u_asset_risk_score\":\"'{u_asset_risk_score}'\",\"u_exploit_count\":\"'{u_exploit_count}'\",\"u_malware_kit_count\":\"'{u_malware_kit_count}'\",\"u_service_name\":\"'{u_service_name}'\",\"u_service_port\":\"'{u_service_port}'\",\"u_service_product\":\"'{u_service_product}'\",\"u_service_protocol\":\"'{u_service_protocol}'\",\"u_site_names\":\"'{u_site_names}'\",\"u_vulnerability_age\":\"'{u_vulnerability_age}'\",\"u_vulnerability_cve_ids\":\"'{u_vulnerability_cve_ids}'\",\"u_vulnerability_cvssv3_score\":\"'{u_vulnerability_cvssv3_score}'\",\"u_vulnerability_id\":\"'{u_vulnerability_id}'\",\"u_vulnerability_proof\":\"'{u_vulnerability_proof}'\",\"u_vulnerability_reference_ids\":\"'{u_vulnerability_reference_ids}'\",\"u_vulnerability_risk_score\":\"'{u_vulnerability_risk_score}'\",\"u_vulnerability_severity_level\":\"'{u_vulnerability_severity_level}'\",\"u_vulnerability_title\":\"'{u_vulnerability_title}'\",\"u_vulnerable_since\":\"'{u_vulnerable_since}'\",\"sys_target_table\":\"\"}")

# Check for HTTP codes other than 200
if response.status_code != 200: 
print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.json())
exit()

# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)
Labels (2)

lijuj
Explorer
#Need to install requests package for python
#easy_install requests
import requests

# Set the request parameters
url = 'https://xxxxx.service-now.com/api/now/table/u_splunk_vulnerability_import'

# Eg. User name="admin", Password="admin" for this code sample.
user = 'admin'
pwd = 'admin'

# Set proper headers
headers = {"Content-Type":"application/json","Accept":"application/json"}

# Do the HTTP request
response = requests.post(url, auth=(user, pwd), headers=headers ,data="{\"description\":\"Test desc\",\"state\":\"3\",\"impact\":\"4\",\"priority\":\"3\"}")

# Check for HTTP codes other than 200
if response.status_code != 200: 
    print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.json())
    exit()

# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)

loganwilcox
Engager

I understand that this is the basic format for sending data, but this does not accomplish my goal of sending field values from a search. I want to send field values for each search result to the matching column in my servicenow table.

0 Karma

suser2019
Explorer

were you able to figure out how to send field values from search to servicenow incident table?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...