Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk ITSI bidirectional ticketing - ServiceNow - snow_hash.csv not found

taskar
Path Finder
‎06-29-2020 11:39 PM
We are trying to run bidirectional ticketing (ServiceNow) and are experiencing some issues. ITSI v4.3.3, datamodel are working just find far as I know. The correlation search uses snow_hash.csv as input and ouput. But the file are missing, anyone with a quickfix? Should I just manually create it? Anyone know when it is created? Error message from job output when running the correlation search manually:

[subsearch]: File '/opt/splunk/var/run/splunk/csv/snow_hash.csv' could not be opened for reading.
Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

taskar
Path Finder
‎08-13-2020 01:25 AM

It was an issue with field exctractions. Did not extract the field sys_updated_on from the servicenow event. Fixed that and then I ran the correlation search to build the csv. 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

taskar
Path Finder
‎08-13-2020 01:25 AM

It was an issue with field exctractions. Did not extract the field sys_updated_on from the servicenow event. Fixed that and then I ran the correlation search to build the csv. 

Tags (1)
Reply
Solved! Jump to solution

satishvrhce
New Member
‎06-29-2021 07:02 AM

Can you please explain how to do the field extraction?

0 Karma
Reply
Solved! Jump to solution

admindeckge
Observer
‎09-08-2020 06:41 PM

Hi taskar - I'm seeing similar behavior in my environment. Running the incident modular input locally on 1 search head in my SHC running ITSI instead of running it from my heavy forwarder is how i've got it working currently.  I'm 7.3.3 on-prem RHEL7 instances with ITSI 4.4.3 and 6.0.0 snow_ta installed to HF, indexer cluster & search head cluster. I'm curious if you're same version of TA & where props that seem to be good OOTB needed a tweak if you're collecting data from heavy forwarder since that's where it should be running and won't work for me.  Really cool to update SNow ticket and get ITSI episode updated but not sure it's so cool to have to run it this way to make it work. Any help you could provide would be greatly appreciated. Thanks

0 Karma
Reply
Solved! Jump to solution

taskar
Path Finder
‎09-09-2020 12:09 AM

We are running on the same version as you. We just did a workaround on the correlation search in ITSI SH cluster to extract the needed kv-pair

| extract pairdelim=",", kvdelim="=", auto=f, limit=200, mv_add=t

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...