Splunk Search
Highlighted

How do I change the value of a field if a condition occurs?

New Member

Hi community!

I'm using Splunk Entreprise to create dashboards with my client's ServiceNow incident information.

  1. My company only look at tickets from assignment_group A.
  2. So, I have a ticket X that belongs to assignment_group A with Status "New".
  3. However, this ticket changed to assignment_group B and is no longer serviced by my company. This will result in a second ServiceNow extraction, that ticket will not appear.

So, I need to create a logic so that when this happens, Splunk changes the Status of ticket X to "Reassigned".

Does anyone know how to do this?
Thanks!

0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

SplunkTrust
SplunkTrust

How does Splunk know this has happened?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

New Member

Hi richgalloway!

The ticket X will already be in the index, as it entered as assignment_group A and Status New.
However, as ticket X will not appear in the next ServiceNow extraction, Splunk should only change the Status to Reassigned.

Is it possible to create such a rule?

0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

SplunkTrust
SplunkTrust

I'm not sure my question was answered so I'll re-phrase it. What data does Splunk see that tells it the ticket was re-assigned?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

New Member

In fact, there is no field to indicate this.
Basically, if I have a ticket in the index and it no longer appears in the new extractions, it must change the status to reassigned

0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

SplunkTrust
SplunkTrust

so, will Splunk know that there has been an extraction that does not contain this incident? For instance, can you find the most recent extraction date, and if there is no record for that incident with that extraction date, then create a new record with the status as "reassigned"?

0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

SplunkTrust
SplunkTrust

Still not clear on the detection method, but I want to ask: Do you expect the change the indexed data to reflect the new status? If so, that is not possible. Splunk does not allow indexed data to be changed at all.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

New Member

Understood. So is there a way that when this happens, Splunk will create a new ticket with the same information and just change the status to reassigned?

0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

SplunkTrust
SplunkTrust

And we're back to where we started. "when this happens" really needs to be a discrete event that Splunk can detect and then act on.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How do I change the value of a field if a condition occurs?

New Member

And is there a way to make Splunk detect an event like this?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.