Getting Data In

Understanding how to use snowincident for servicenow/splunk integration

New Member


I am really confused on how to use the snow commands such as the ones listed here: I do not understand how to set up the snow stuff as I have created the integration between servicenow and splunk today. Any help would be greatly appreciated. Thank you.

0 Karma

New Member

Why ServiceNow fields are shown as dv_fieldname in splunk.

For example: assignment_group is shown as dv_assignment_group.

0 Karma


What exactly do you need help with? I am ingesting incs, chgs, cmbds, etc, and am also dynamically creating snow tickets using Splunk (creating lockout tickets).

I also have a snow dashboard I created displaying a bunch of metrics. This is the base search:

index=main sourcetype=snow:incident dv_number="$ticket$" OR ticket_id="$ticket$" OR number="$ticket$" |   
  eval inc=if(isnull(ticket_id),dv_number,ticket_id) | eval inc=if(isnull(inc),number,inc) | 
  rex field=dv_assigned_to "[\s\S]*\((?<dv_assigned_to_id>\S*)\)[\s\S]*" | eval dv_assigned_to_id=lower(dv_assigned_to_id) | eval dv_assignment_group=lower(dv_assignment_group) | 
  eval dv_sys_mod_count=if(isnull(dv_sys_mod_count),0,dv_sys_mod_count) |
lookup "snow_metrics_groups.csv" id as dv_assignment_group OUTPUTNEW group as lookup_assignment_group | lookup "snow_metrics_groups.csv" id as dv_assigned_to_id OUTPUTNEW group as lookup_assignment_group |
sort 0 - _time | table inc dv_short_description dv_caller_id dv_sys_created_by dv_assigned_to_id lookup_assignment_group dv_assignment_group dv_sys_created_on dv_sys_updated_on dv_closed_at dv_calendar_duration dv_business_duration dv_category dv_subcategory dv_state dv_close_code dv_priority dv_sys_mod_count reassignment_count dv_u_reopen_count dv_reassignment_count dv_u_parent_incident _time

(I have a lot of other code for this dashboard. The lookups are my own)

Let me know what you need

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...