Splunk ITSI

How itsi_notable_event_external_ticket lookup is being updated?

vsskishore
Explorer

We have enabled Bidirectional correlation search for Service now in our ITSI, unfortunately  itsi_notable_event_external_ticket  lookup is not updating proper values. I couldn't find the saved search which is used to update the lookup to troubleshoot further.
Can some one tell me how itsi_notable_event_external_ticket lookup is being updated ?

0 Karma

michael_bates_1
Path Finder

The lookup itsi_notable_event_external_ticket is updated when ITSI creates the external ticket.
If you search the audit records

`itsi_notable_audit_index` sourcetype=itsi_notable:audit

you will should, if the NEAP is creating the ticket, see events with fields like

   action_namesnow_incident
   activityAction="snow_incident" executed.
   activity_typeAction Executed for Episode.

One of the fields is the search_command. Towards the end of the string you should see something like

sendalert "itsi_event_action_snow_wrapper" (I am using ServiceNow)

It is this alert wrapper that raises the ticket with SNOW, and updates the kvstore lookup with the returned values.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...