I'm using Splunk ITSI app to create incidents in ServiceNow from Splunk ITSI based on Episode Review, that is using actions in the notable event aggregation policy.
I’m facing problem in running default correlation search of Bidirectional Ticketing.
While troubleshooting I can see inputlookup itsinotableeventexternalticket isn’t getting updated and couldn’t find it anywhere. However in this input lookup one entry exists which we made last week.
Below is the default search. datamodel TicketManagement and sourcetype="snow:incident" is working fine but inputlookup isn’t getting updated which is why I am unable to test as ticketid is defind there as well.
Hi, @prafullwt , would you check the followings in step by step?
Check if ServiceNow's incident modinput is running.
Check if rules engine is running by going into "Searches, reports, and alerts" and search for itsieventgrouping for App: SA-ITOA.
If all above 2 are enabled, then check if the Bidirectional Ticketing correlation search generating events by search for index=itsitrackedalerts bidirectional_ticketing=1 , if there is no events found in this step, the ticket updating will not happen.
If step 3 showing the events, you can compare the fields of the events with the aggregation policy you set up, see if the field names and values matches any events generated in step 3. It the criteria doesn't match in what you set in aggregation policy, the ticket updating will not happen as well.