Hello We have implemented multiple NEAP which has to be applied depending on various conditions. How can I write a SPL query to find which episode/incident used which NEAP. Regards, Sanghamitra Mitra
... View more
I am getting the following error while inserting the incident in ServiceNow through Splunk Add-On (while the connectivity between Splunk and ServiceNow is established, able to retrieve the incidents in Splunk)
command="snowincidentstream", Failed to create ticket. Return code is 400 (Bad Request). One of the possible causes of failure is absence of event management plugin or Splunk Integration plugin on the ServiceNow instance. To fix the issue install the plugin(s) on ServiceNow instance.
source="cpu_data_updated_1.csv" |where CPU___Usage >= 47|eval contact_type="email"
| eval account="splunk_snow_dev"
| eval contact_type="email"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| eval ci_identifier=host
| eval priority=1 | eval category="Software"
| eval subcategory="database"
| eval short_description="CPU on ". host ." is at ". CPU___Usage
| table account, category, subcategory, short_description, contact_type, custom_fields, ci_identifier, priority |snowincidentstream
Getting this even after installing both the plugins and following the instructions in the link: - https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise
... View more
Hi, I created a custom search command following the instruction in the page and it was working fine (https://www.splunk.com/en_us/blog/tips-and-tricks/write-your-own-search-language.html) however stopped working suddenly. Tried to put some file creation statement, the files are not created - looks the python program is not running at all. Python code (C:\Program Files\Splunk\etc\apps\search\bin) import splunk.Intersplunk def getShape(text): phrase1 = "upload" phrase2 = "TrustedInstaller" description =  if (phrase1 in text): description.append("Infra") elif (phrase2 in text): description.append("InstallationGroup") else: description.append("Misc") Corpus = pd.read_csv(r"E:\corpus_single.csv",encoding='latin-1') Corpus.to_csv(r'E:\corpus_func.csv', index = False) if len(description) == 0 return "normal" return "_".join(description) # get the previous search results results,unused1,unused2 = splunk.Intersplunk.getOrganizedResults() Corpus = pd.read_csv(r"E:\corpus_single.csv",encoding='latin-1') Corpus.to_csv(r'E:\corpus_out.csv', index = False) # for each results, add a 'shape' attribute, calculated from the raw event text for result in results: result["assignmentgrp"] = getShape(result["Message"]) # output results splunk.Intersplunk.outputResults(results) --------- Entry in command.conf (folder :C:\Program Files\Splunk\etc\apps\search\default) [getgroup] filename = getgroup.py --------------- Search Query source="winlog1.txt" | rex field=_raw "Message: <(?<Message>.*)>" | dedup Message | table Message, getgroup -------- winlog1.txt sample data - having around 10 records 2016-09-28 04:30:31, Info Message: <Ending TrustedInstaller initialization.> 2016-09-28 04:30:31, Info Message: <Starting the TrustedInstaller main loop.> 2016-09-28 04:30:31, Info Message: <TrustedInstaller service starts successfully.> 2016-09-28 04:30:31, Info Message: <Initializing online with Windows opt-in: False.>
... View more