Getting Data In

Understanding how to use snowincident for servicenow/splunk integration

asuh
New Member

Hello,

I am really confused on how to use the snow commands such as the ones listed here: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts. I do not understand how to set up the snow stuff as I have created the integration between servicenow and splunk today. Any help would be greatly appreciated. Thank you.

0 Karma

simhadri_98
New Member

Why ServiceNow fields are shown as dv_fieldname in splunk.

For example: assignment_group is shown as dv_assignment_group.

0 Karma

nick405060
Motivator

What exactly do you need help with? I am ingesting incs, chgs, cmbds, etc, and am also dynamically creating snow tickets using Splunk (creating lockout tickets).

I also have a snow dashboard I created displaying a bunch of metrics. This is the base search:

index=main sourcetype=snow:incident dv_number="$ticket$" OR ticket_id="$ticket$" OR number="$ticket$" |   
  eval inc=if(isnull(ticket_id),dv_number,ticket_id) | eval inc=if(isnull(inc),number,inc) | 
  rex field=dv_assigned_to "[\s\S]*\((?<dv_assigned_to_id>\S*)\)[\s\S]*" | eval dv_assigned_to_id=lower(dv_assigned_to_id) | eval dv_assignment_group=lower(dv_assignment_group) | 
  eval dv_sys_mod_count=if(isnull(dv_sys_mod_count),0,dv_sys_mod_count) |
lookup "snow_metrics_groups.csv" id as dv_assignment_group OUTPUTNEW group as lookup_assignment_group | lookup "snow_metrics_groups.csv" id as dv_assigned_to_id OUTPUTNEW group as lookup_assignment_group |
sort 0 - _time | table inc dv_short_description dv_caller_id dv_sys_created_by dv_assigned_to_id lookup_assignment_group dv_assignment_group dv_sys_created_on dv_sys_updated_on dv_closed_at dv_calendar_duration dv_business_duration dv_category dv_subcategory dv_state dv_close_code dv_priority dv_sys_mod_count reassignment_count dv_u_reopen_count dv_reassignment_count dv_u_parent_incident _time

(I have a lot of other code for this dashboard. The lookups are my own)

Let me know what you need

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...