Splunk IT Service Intelligence

Splunk ITSI bidirectional ticketing - ServiceNow - snow_hash.csv not found

taskar
Path Finder
We are trying to run bidirectional ticketing (ServiceNow) and are experiencing some issues. ITSI v4.3.3, datamodel are working just find far as I know. The correlation search uses snow_hash.csv as input and ouput. But the file are missing, anyone with a quickfix? Should I just manually create it? Anyone know when it is created? Error message from job output when running the correlation search manually:

[subsearch]: File '/opt/splunk/var/run/splunk/csv/snow_hash.csv' could not be opened for reading.
Labels (2)
0 Karma
1 Solution

taskar
Path Finder

It was an issue with field exctractions. Did not extract the field sys_updated_on from the servicenow event. Fixed that and then I ran the correlation search to build the csv. 

View solution in original post

Tags (1)

taskar
Path Finder

It was an issue with field exctractions. Did not extract the field sys_updated_on from the servicenow event. Fixed that and then I ran the correlation search to build the csv. 

Tags (1)

satishvrhce
New Member

Can you please explain how to do the field extraction?

0 Karma

admindeckge
Observer

Hi taskar - I'm seeing similar behavior in my environment. Running the incident modular input locally on 1 search head in my SHC running ITSI instead of running it from my heavy forwarder is how i've got it working currently.  I'm 7.3.3 on-prem RHEL7 instances with ITSI 4.4.3 and 6.0.0 snow_ta installed to HF, indexer cluster & search head cluster. I'm curious if you're same version of TA & where props that seem to be good OOTB needed a tweak if you're collecting data from heavy forwarder since that's where it should be running and won't work for me.  Really cool to update SNow ticket and get ITSI episode updated but not sure it's so cool to have to run it this way to make it work. Any help you could provide would be greatly appreciated. Thanks

0 Karma

taskar
Path Finder

We are running on the same version as you. We just did a workaround on the correlation search in ITSI SH cluster to extract the needed kv-pair

| extract pairdelim=",", kvdelim="=", auto=f, limit=200, mv_add=t

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...