Splunk ITSI

How itsi_notable_event_external_ticket lookup is being updated?

vsskishore
Explorer

We have enabled Bidirectional correlation search for Service now in our ITSI, unfortunately  itsi_notable_event_external_ticket  lookup is not updating proper values. I couldn't find the saved search which is used to update the lookup to troubleshoot further.
Can some one tell me how itsi_notable_event_external_ticket lookup is being updated ?

0 Karma

michael_bates_1
Path Finder

The lookup itsi_notable_event_external_ticket is updated when ITSI creates the external ticket.
If you search the audit records

`itsi_notable_audit_index` sourcetype=itsi_notable:audit

you will should, if the NEAP is creating the ticket, see events with fields like

   action_namesnow_incident
   activityAction="snow_incident" executed.
   activity_typeAction Executed for Episode.

One of the fields is the search_command. Towards the end of the string you should see something like

sendalert "itsi_event_action_snow_wrapper" (I am using ServiceNow)

It is this alert wrapper that raises the ticket with SNOW, and updates the kvstore lookup with the returned values.

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...