Splunk Search

How to configure a lookup in Splunk Add-on for ServiceNow ?

Hemnaath
Motivator

Hi Team,

Got a request to configure a lookup called cmdb_ci_computer.csv that containing anything with subcategory of computer in a sourcetype=cmdb_ci_list? This should be configured under Splunk_TA_snow/local/savedsearch.conf.
Could please guide me how to create and configure this lookup.

thanks in advance.

0 Karma

p_gurav
Champion

Refer below doc and try to place lookup at specified position:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups

0 Karma

Hemnaath
Motivator

Hi Gurav, thanks for your inputs, but I had gone through this document and created the below steps, could please guide me whether steps are correct .

1) Create a empty csv file under Splunk_TA_snow/lookup/cmdb_ci_computer.csv 
2) Create a Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_Computer
3) Map the eventtype in the /local/savedsearches.conf 
[ServiceNow CMDB CI Computer]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI Computer from ServiceNow
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_computer_lookup | dedup sys_id | outputlookup cmdb_ci_computer_lookup 
0 Karma

p_gurav
Champion

Do you want to create new lookup or use existing in query?

0 Karma

Hemnaath
Motivator

I want to use existing in the query

0 Karma

Hemnaath
Motivator

Hi Gurav, the below steps helped me to get the required output.

Procedure :

1) First executed a simple search command to filter the sourcetype containing only with the field values called Computer from the seleclted field=subcategory

    sourcetype=snow:cmdb_ci_list subcategory=Computer

2) Created a Eventtype in the props.conf with the sourcetype=snow:cmdb_ci_list subcategory=Computer along with other exesisting eventtype in the Splunk_Ta_Snow app

     Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_list subcategory=Computer

3) Created a Savedsearch query with the newly created eventtype to filter the events contains anything with subcategory of "Computer". 

[ServiceNow CMDB CI SUB COMP List]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI contains anything with subcategory of "Computer"
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_Computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_list_lookup | dedup sys_id | outputlookup cmdb_ci_list_lookup

4) After finishing with the above steps the app was pushed to the search head cluster environement via deployer. 

 /opt/splunk/bin
./splunk apply shcluster-bundle --answer-yes -target https://splunkinstancename:8089 -auth admin:password 

5) We are able to see the required output in splunk with the events containing the field values called Computer from the seleclted field=subcategory.
0 Karma

Hemnaath
Motivator

Hi All,

Can anyone throw me some lights on this, I want to know to how to configure a lookup in splunk_TA_servicenow.

0 Karma

Hemnaath
Motivator

Hi All,
Can anyone guide me on this

0 Karma

Hemnaath
Motivator

Hi All,

Any help will be much appreciated.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...