I'm using Splunk Entreprise to create dashboards with my client's ServiceNow incident information.
So, I need to create a logic so that when this happens, Splunk changes the Status of ticket X to "Reassigned".
Does anyone know how to do this?
The ticket X will already be in the index, as it entered as assignment_group A and Status New.
However, as ticket X will not appear in the next ServiceNow extraction, Splunk should only change the Status to Reassigned.
Is it possible to create such a rule?
I'm not sure my question was answered so I'll re-phrase it. What data does Splunk see that tells it the ticket was re-assigned?
In fact, there is no field to indicate this.
Basically, if I have a ticket in the index and it no longer appears in the new extractions, it must change the status to reassigned
so, will Splunk know that there has been an extraction that does not contain this incident? For instance, can you find the most recent extraction date, and if there is no record for that incident with that extraction date, then create a new record with the status as "reassigned"?
Still not clear on the detection method, but I want to ask: Do you expect the change the indexed data to reflect the new status? If so, that is not possible. Splunk does not allow indexed data to be changed at all.
Understood. So is there a way that when this happens, Splunk will create a new ticket with the same information and just change the status to reassigned?
And we're back to where we started. "when this happens" really needs to be a discrete event that Splunk can detect and then act on.