What exactly do you need help with? I am ingesting incs, chgs, cmbds, etc, and am also dynamically creating snow tickets using Splunk (creating lockout tickets).

I also have a snow dashboard I created displaying a bunch of metrics. This is the base search:

index=main sourcetype=snow:incident dv_number="$ticket$" OR ticket_id="$ticket$" OR number="$ticket$" |   
  eval inc=if(isnull(ticket_id),dv_number,ticket_id) | eval inc=if(isnull(inc),number,inc) | 
  rex field=dv_assigned_to "[\s\S]*\((?<dv_assigned_to_id>\S*)\)[\s\S]*" | eval dv_assigned_to_id=lower(dv_assigned_to_id) | eval dv_assignment_group=lower(dv_assignment_group) | 
  eval dv_sys_mod_count=if(isnull(dv_sys_mod_count),0,dv_sys_mod_count) |
lookup "snow_metrics_groups.csv" id as dv_assignment_group OUTPUTNEW group as lookup_assignment_group | lookup "snow_metrics_groups.csv" id as dv_assigned_to_id OUTPUTNEW group as lookup_assignment_group |
sort 0 - _time | table inc dv_short_description dv_caller_id dv_sys_created_by dv_assigned_to_id lookup_assignment_group dv_assignment_group dv_sys_created_on dv_sys_updated_on dv_closed_at dv_calendar_duration dv_business_duration dv_category dv_subcategory dv_state dv_close_code dv_priority dv_sys_mod_count reassignment_count dv_u_reopen_count dv_reassignment_count dv_u_parent_incident _time

(I have a lot of other code for this dashboard. The lookups are my own)

Let me know what you need