Hi,
I am using the app and the add-on ServiceNow Event Management for Splunk 6.2.3.
It is working fine, but I get as the assigned group name the sys_id unique of the group in ServiceNow to which the incident has been assigned (so I get hsgsjdklfkshagsgdj instead of the readable group name).
I checked the sys_user_group_list_lookup.csv file under /lookup directory in Splunk, but I do not see any such field...
Anyone has tried the same thing?
Thanks,
Skender Kollcaku
Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:
eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7
state=7 means that incident has been closed!
Thanks anyway,
Skender
Did you ever find an answer for this issue?
Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:
eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7
state=7 means that incident has been closed!
Thanks anyway,
Skender
In fact, in the illustration you see two panels of what I get from the dashboard of the incidents:
Instead of the unreadable code (which is the sys_id) I'd need the real name of the group to which the incident was assigned...
I hope it is clear the problem occuring to me.
Thanks in advance,
Skender
...and here is the search used to produce this dashboard:
eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group!="", assignment_group, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7
I'm having the same issue for lots of fields within this app. Is there a way to do a dynamic "lookup" based on the sys_id? Particularly for fields like:
assigned_to
assignment_group
cmdb_ci
opened_by
requested_by
u_category_list
u_requesting_group
u_user
These would be incredibly useful fields IF we could actually read them in a meaningful way.
for me eventtype=snow-incident itself doesn't return me any data. Please help