All Apps and Add-ons

Splunk App for ServiceNow incident state

wegscd
Contributor

I brought up the Splunk App for ServiceNow on Friday in a teset app, let it chug away over the weekend to get the data extracted from Service Now over the weekend.

Went to run the the reports, and all incidents are showing up as "Open". Dug into it, and our Service Now instance keeps all incidents with incident_state=1; as the tickets are worked, there is a different field "state" that is changing.

Is this something specific to our Service Now implementation, or has someone else seen this?

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi,

I have seen some snow implementations use state field and others use state_incident. We might need to change the default to be using state field to represent the status of the incident instead - in the meantime you can fix the behavior in your environment by applying the lookup to the state field (do it under local/ props.conf)
[snow:incident]
LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name

wegscd
Contributor

The fix is a lot more pervasive than that; there are also queries in the dashboards that need fixing. Right now I'm trying to determine if this is something our ServiceNow folks have done to us, and if anyone else has seen the problem.

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

There is a business rule that does the sync between the two fields. You might want to check this:
https://community.servicenow.com/message/801220?_ga=1.84815579.354472655.1430263836#801220

0 Karma

wegscd
Contributor

checking with my ServiceNow guy; I think that rule is broken/turned off; incident_state is sticking at '1'.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!