Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk ITSI Bidirectional Ticketing Issue?

prafullwt
New Member
‎09-18-2019 04:28 AM

Hello All,

I'm using Splunk ITSI app to create incidents in ServiceNow from Splunk ITSI based on Episode Review, that is using actions in the notable event aggregation policy.

I’m facing problem in running default correlation search of Bidirectional Ticketing.
While troubleshooting I can see inputlookup itsi_notable_event_external_ticket isn’t getting updated and couldn’t find it anywhere. However in this input lookup one entry exists which we made last week.

Below is the default search. datamodel Ticket_Management and sourcetype="snow:incident" is working fine but inputlookup isn’t getting updated which is why I am unable to test as ticket_id is defind there as well.

| datamodel Ticket_Management Incident search | rename All_Ticket_Management.ticket_id as ticket_id
| join ticket_id [search sourcetype="snow:incident" | where indextime > now() - 60]
| join ticket_id [| inputlookup itsi_notable_event_external_ticket | rename tickets.* as *]
| rename event_id as group_id | fields - dv* | eval bidirectional_ticketing=1

as per my investigation that lookup isn't getting updated. so here in i suspect problem lies.
Can you please suggest any way to troubleshoot this ?

Labels (1)
Labels
0 Karma
Reply

szhou_splunk
Splunk Employee
Splunk Employee
‎10-21-2019 02:08 PM

Hi, @prafullwt , would you check the followings in step by step?

  1. Check if ServiceNow's incident modinput is running.
  2. Check if rules engine is running by going into "Searches, reports, and alerts" and search for itsi_event_grouping for App: SA-ITOA.
  3. If all above 2 are enabled, then check if the Bidirectional Ticketing correlation search generating events by search for index=itsi_tracked_alerts bidirectional_ticketing=1 , if there is no events found in this step, the ticket updating will not happen.
  4. If step 3 showing the events, you can compare the fields of the events with the aggregation policy you set up, see if the field names and values matches any events generated in step 3. It the criteria doesn't match in what you set in aggregation policy, the ticket updating will not happen as well.
0 Karma
Reply

santosh_sshanbh
Path Finder
‎08-13-2022 02:20 AM

How and where to check this?

  1. Check if ServiceNow's incident modinput is running.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...