Recently i upgraded my standalone env to SH and Indexer cluster one major thing i notice is all my previous works like Services,entities,correlation search,notable event aggregation policies are missing.
Basically it's set back to default.
Where and how can i restore my previous work ?
... View more
I'm using Splunk ITSI app to create incidents in ServiceNow from Splunk ITSI based on Episode Review, that is using actions in the notable event aggregation policy.
I’m facing problem in running default correlation search of Bidirectional Ticketing.
While troubleshooting I can see inputlookup itsi_notable_event_external_ticket isn’t getting updated and couldn’t find it anywhere. However in this input lookup one entry exists which we made last week.
Below is the default search. datamodel Ticket_Management and sourcetype="snow:incident" is working fine but inputlookup isn’t getting updated which is why I am unable to test as ticket_id is defind there as well.
| datamodel Ticket_Management Incident search | rename All_Ticket_Management.ticket_id as ticket_id
| join ticket_id [search sourcetype="snow:incident" | where indextime > now() - 60]
| join ticket_id [| inputlookup itsi_notable_event_external_ticket | rename tickets.* as *]
| rename event_id as group_id | fields - dv* | eval bidirectional_ticketing=1
as per my investigation that lookup isn't getting updated. so here in i suspect problem lies.
Can you please suggest any way to troubleshoot this ?
... View more