Hello All, I have an alert that has an Action to create a SNow Incident when a file has not been received by a certain date. The first time the alert ran and the action was triggered, a new Incident was created.  Subsequently, the original Incident has been reopened.  This is not what I want.  I need to have a new Incident for each time the action is triggered. I have tried setting 'state' to 1, which implies New in the documentation here - https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts state No Number 4 The state of the incident. For example: 1 - New 2 - Active 3 - Awaiting Problem 4 - Awaiting User Info 5 - Awaiting Evidence 6 - Resolved 7 - Closed I have also left the Correlation ID blank so that a new (unique) ID is created. Correlation ID A unique ID to support third-party application integration. It should only consist of alphanumeric characters, underscore (_), and hyphen (-) in its value. Leave blank for the Splunk Add-on for ServiceNow to generate a unique ID for you.   Thanks in advance for support ... View more

Hello All, Grateful for assistance on this one. We have several areas where servers are HA pairs and write to a server specific log.  However, because they are an HA pair, their own log and the equivalent log on the paired server is visible via a shared drive. Thus,  server 'A' produces 'serverlogA' but can also see 'serverlogB'.  Server 'B' produces 'serverlogB' and can also see 'serverlogA'. Because both servers are in the same Server Class, we end up with duplicated events from both server logs. We cannot only ingest from one server because they also have unique log files and a failure on the ingesting server would require manual intervention to move to the paired server. I have tried to nullqueue the events as shown below, but not had any success.   Please let me know your thoughts on how to work around this issue. Thanks props.conf [source::/apps/lvservices/mnt/logs/abc/whyluaap182_ContractEnquiry.log] TRANSFORMS-nullq_cms_uaap181 = nullq_uaap181 [source::/apps/lvservices/mnt/logs/abc/whyluaap181_ContractEnquiry.log] TRANSFORMS-nullq_cms_uaap182 = nullq_uaap182 transforms.conf [nullq_uaap181] SOURCE_KEY = MetaData:Host REGEX = whyluaap181 DEST_KEY = queue FORMAT = nullQueue [nullq_uaap182] SOURCE_KEY = MetaData:Host REGEX = whyluaap182 DEST_KEY = queue FORMAT = nullQueue   ... View more

Hello all, My latest challenge is to ingest a Word doc into our environment.  According to everything I have read so far, this should be straight forward as Splunk can ingest 'any' file.  At this point I should point out that I am not concerned about the contents of the file (as this all needs to be obfuscated).  I only need to ingest the file to get its name.  I am not concerned about whether or not Splunk can read the 'Word' type formatting. The file is created daily with the format - "My Word Doc ddmmyyyy hh mm.doc" I am only interested in the "ddmmyyyy hh mm" part to ensure that it has been created today. I cannot get the doc file to ingest at all.  Not even in an unformatted state.  If I save the file as a ".txt" file, then it is ingested.  Unfortunately, the 'save as' option is not an option in production. I have tried using 'whitelist=' option without any success. Can anyone suggest a solution?  Is there something in my installation that is stopping Word docs from being ingested?  Has anyone else had a similar experience?   Thanks ... View more