Splunk IT Service Intelligence
Highlighted

ITSI alerts show as incident service now

Explorer

Hello Splunkers,

recently we have setup ITSI service in splunk now im just trying to find way to send alerts to be created service now tkt in our service now tool.
to be straight integrate my service now product with ITSI app.

Thanks in advance.

0 Karma
Highlighted

Re: ITSI alerts show as incident service now

Contributor

Hi ,

Yes, It can be possible .

Create an incident or event from an alert using the snowincident.py or snowevent.py script
You can create an incident or event based on an alert.

In Splunk Web, click Settings > Searches, Reports, and Alerts.
Click New.
Set the Destination app to Splunk Add-on for ServiceNow (SplunkTAsnow).
Enter a Search name that describes the alert you want to create.
Enter a Search that meets the following criteria:
To create an incident, the search must include the mandatory arguments category, shortdescription, and contacttype. These arguments are required by ServiceNow to create an incident. The Splunk platform passes the arguments through to the alert result to trigger the script.
To create an event, the search must include the mandatory arguments node, resource, type, and severity. These arguments are required by ServiceNow to create an event. The Splunk platform passes the arguments to the alert result to trigger the script.
The search can include any of the optional arguments supported by ServiceNow incident or event creation. See About the commands and scripts for a table detailing each of these arguments.
The search must be in tabular format.

The following search is an example that demonstrates how to trigger the script to create an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host 
| eval priority=1 | eval category="Software" 
| eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| table category, subcategory, short_description, contact_type, ci_identifier, priority

The following search is an example that demonstrates how to trigger the script to create an event when CPU usage is 95 or higher:

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval node=host | eval resource="CPU" 
| eval type="CPUAlert" | eval severity=2 
| eval description="CPU on ". host ." is at ". CPU 
| table time, severity, node, resource, type, description

Under Schedule and alert, click Schedule this search.
Select values for Schedule type, Run every, Expiration, and Severity according to your alert requirements.
Under Alert actions, check the box next to Enable under Run a script.
Enter the name of the script in File name of shell script to run.
For an incident, enter snowincident.py
For an event, enter snow
event.py
Click Save.

Please refer to the below document for detailed process

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts