Hi Gurav, thanks for your inputs, but I had gone through this document and created the below steps, could please guide me whether steps are correct .

1) Create a empty csv file under Splunk_TA_snow/lookup/cmdb_ci_computer.csv 
2) Create a Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_Computer
3) Map the eventtype in the /local/savedsearches.conf 
[ServiceNow CMDB CI Computer]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI Computer from ServiceNow
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_computer_lookup | dedup sys_id | outputlookup cmdb_ci_computer_lookup 

Do you want to create new lookup or use existing in query?

I want to use existing in the query

Hi Gurav, the below steps helped me to get the required output.

Procedure :

1) First executed a simple search command to filter the sourcetype containing only with the field values called Computer from the seleclted field=subcategory

    sourcetype=snow:cmdb_ci_list subcategory=Computer

2) Created a Eventtype in the props.conf with the sourcetype=snow:cmdb_ci_list subcategory=Computer along with other exesisting eventtype in the Splunk_Ta_Snow app

     Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_list subcategory=Computer

3) Created a Savedsearch query with the newly created eventtype to filter the events contains anything with subcategory of "Computer". 

[ServiceNow CMDB CI SUB COMP List]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI contains anything with subcategory of "Computer"
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_Computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_list_lookup | dedup sys_id | outputlookup cmdb_ci_list_lookup

4) After finishing with the above steps the app was pushed to the search head cluster environement via deployer. 

 /opt/splunk/bin
./splunk apply shcluster-bundle --answer-yes -target https://splunkinstancename:8089 -auth admin:password 

5) We are able to see the required output in splunk with the events containing the field values called Computer from the seleclted field=subcategory.

Hi All,

Any help will be much appreciated.