Alerting

How to get the incident number for alert action

santosh_sshanbh
Explorer

I am using Splunk add-on for ServiceNow in my ITSI instance. I have configured Create SNOW incident action for the episode which is successfully creating incident in ServiceNow.

As a next step I wan to inform the operations team about the recently created incident so I have configured another action for the same episode to send email. But I dont know how I can get the number of the recently created incident which I can send in the email subject line?

Can anyone guide me on this?

 

 

Labels (2)
0 Karma

aasabatini
Motivator

Hi @santosh_sshanbh 

You can base the alert on this search

| rest /servicesNS/-/-/saved/searches 
| search title="*" 
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated

This search show you all triggered alerts and correlation searches

if you want set to monitor only 1 alert/correlation search put the name search on this filter 

| search title="<search title>"

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

santosh_sshanbh
Explorer

Hi @aasabatini  for your response. However, I am not clear on how I can get the incident number from this search. Basically I have an aggregation policy with 2 action rules

1. Creates SNOW incident using one of the action of Splunk add-on for ServiceNow

2. Calls send email alert action

Now my requirement is I need to embed the number of the incident (INCXXX) just created as a result of action #1 above in the body or subject line of the email. 

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!