BRDR,
It sounds like what you are looking for is the snoweventstream.
http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands
The following example search creates an incident when CPU usage is 95 or higher.
sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95 | eval contact_type="email"
| eval ci_identifier=host | eval priority="1"
| eval category="Software" | eval subcategory="database"
| eval short_description="CPU on ". host ." is at ". CPU
| snowincidentstream
The following example search closes the above incident in ServiceNow version Eureka when CPU usage drops below 15.
sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU<15 | eval contact_type="email"
| eval ci_identifier=host | eval state="7"
| eval category="Software" | eval subcategory="database"
| eval short_description="CPU on ". host ." is at ". CPU
| snowincidentstream
... View more