We are in the process of generating Events in ServiceNow using the Splunk add-on for ServiceNow.  We are passing Event information in the description field to communicate to the end user what actions need to be addressed.  As part of the output we want to include a table of information that summarizes the events detected.  We are able to aggregate and group the information as necessary, just having a hard time establishing a pattern where we can consistently control the output.   

We have had issues formatting the data and we are seeking guidance on how we can exert greater control over the format.  We would like to include a brief sentence with instructions on how to move forward and we would like to identify all events impacted in table format. 

|eval instructions = "The message we are seeking would look like the content below:  The header column and the output needs to be aligned and easy to read for the end user.    I have used a MVAppend Statement to add the header to a column, but could not concatenate the information in a manner where it display the information in a table format.   "  . "

"

| eval cheader = "Host                      Account                Action  "

| eval tabledata= host . "              " . Account . "   " .    Action  

| eval instructions =  instructions . cheader . tabledata

"The account is a controlled account and you will need to provide justification for accessing the account outside of security controls.  Please review the table of events and provide insight into why control was violated."

Table of Events:  

Host                      Account           Action    

LC200506         admin                Success 

LC200507         admin                Failure