How itsi_notable_event_external_ticket lookup is b...

vsskishore · ‎09-02-2022

We have enabled Bidirectional correlation search for Service now in our ITSI, unfortunately itsi_notable_event_external_ticket lookup is not updating proper values. I couldn't find the saved search which is used to update the lookup to troubleshoot further.
Can some one tell me how itsi_notable_event_external_ticket lookup is being updated ?

michael_bates_1 · ‎02-21-2023

The lookup itsi_notable_event_external_ticket is updated when ITSI creates the external ticket.
If you search the audit records

`itsi_notable_audit_index` sourcetype=itsi_notable:audit

you will should, if the NEAP is creating the ticket, see events with fields like

   action_name: snow_incident
   activity: Action="snow_incident" executed.
   activity_type: Action Executed for Episode.

One of the fields is the search_command. Towards the end of the string you should see something like

sendalert "itsi_event_action_snow_wrapper" (I am using ServiceNow)

It is this alert wrapper that raises the ticket with SNOW, and updates the kvstore lookup with the returned values.

How itsi_notable_event_external_ticket lookup is being updated?

administration

configuration

troubleshooting

using ITSI

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation