- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a usecase to send data from splunk to snow, I noticed there are a bunch of scripts available in servicenow add-on, did anyone tried this effort?
please let me know your thoughts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope this might help anyone who wants to implement this usecase.
1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.
2. Develop a script which can send data into Servicenow.
3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope this might help anyone who wants to implement this usecase.
1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.
2. Develop a script which can send data into Servicenow.
3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @isoutamo for your response,Yes we have installed the splunk add-on for servicenow,
We have a report that we would like to post to a CMDB table in snow.
Under report -->Trigger-->we selected Servicenow Incident integration and passed the account and api end point details, but the data is not posting to the CMDB table, instead it is hitting to the temp table and all the fields which we pass are blank in that temp table and seeing a error message on the last column of that temp table.
Any advise or suggestions would be helful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have check that snow + splunk versions match what is required and also installed those services/packages (or what ever that term was) on snow side? Also required users are created and granted rights to use to those services/tables on snow side?
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, both are running on the updated versions and in order to set up an account in Splunk, a service account was set up in servicenow and all necessary privileges has been granted to that account.
So we configured this add-on using the account provided by servicenow.
We were able to successfully ingest data from servicenow to splunk but the problem we are facing is sending the data from splunk to servicenow
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This sounds like there is still something undone on snow side (missing rights or integration package). What your logs said when you try to update snow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@isoutamo We are using splunk cloud and this add-on is installed on Splunk IDM. Usually we don't have privileges to update the add-on, we usually place a support ticket to update our apps and add-ons on IDM and SH.
I still doubt am i using the right option of Splunk add-on for Servicenow(Servicenow Incident Integration) for sending the data from Splunk to servicenow because majority of the users are using this add-on in getting the data into splunk from snow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As this said https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/About you could also create incidents on Snow side, BUT this needs that your splunk-used which is configured into add-one must have needed rights for snow's internal tables / integration application to create those incident etc. into snow from SH(/C). Without those rights/integration application you can only query that data from Snow via REST api.
Those rights / integration application must enabled on ServiceNow side not on splunk side!
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes @isoutamo , we have permissions for servicenow table, however when we are sending the data from the servicenow add-on in the form of incident, the data is not populating in servicenow table due to compatibility issues.(may be data format)
if this add-on feature is not an option, what are the other options that i can test with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway Do you have any idea on this request? I got stuck with this and trying to figure out an option to send this data from splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have used some previous version of this https://splunkbase.splunk.com/app/1928/#/overview (2y ago?). At that time it works ok, but you need to follow up those instructions and ensure that all versions match and also needed components and users are created on both side (splunk + SNow).
What kind of issue you have? Unfortunately I haven't now SNow installation on my hand, but maybe still could give some hints to you.
r. Ismo
