Splunk ITSI

ITSI alerts show as incident service now

Splunk_citizen
Explorer

Hello Splunkers,

recently we have setup ITSI service in splunk now im just trying to find way to send alerts to be created service now tkt in our service now tool.
to be straight integrate my service now product with ITSI app.

Thanks in advance.

0 Karma

iamarkaprabha
Contributor

Hi ,

Yes, It can be possible .

Create an incident or event from an alert using the snow_incident.py or snow_event.py script
You can create an incident or event based on an alert.

In Splunk Web, click Settings > Searches, Reports, and Alerts.
Click New.
Set the Destination app to Splunk Add-on for ServiceNow (Splunk_TA_snow).
Enter a Search name that describes the alert you want to create.
Enter a Search that meets the following criteria:
To create an incident, the search must include the mandatory arguments category, short_description, and contact_type. These arguments are required by ServiceNow to create an incident. The Splunk platform passes the arguments through to the alert result to trigger the script.
To create an event, the search must include the mandatory arguments node, resource, type, and severity. These arguments are required by ServiceNow to create an event. The Splunk platform passes the arguments to the alert result to trigger the script.
The search can include any of the optional arguments supported by ServiceNow incident or event creation. See About the commands and scripts for a table detailing each of these arguments.
The search must be in tabular format.

The following search is an example that demonstrates how to trigger the script to create an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host 
| eval priority=1 | eval category="Software" 
| eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| table category, subcategory, short_description, contact_type, ci_identifier, priority

The following search is an example that demonstrates how to trigger the script to create an event when CPU usage is 95 or higher:

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval node=host | eval resource="CPU" 
| eval type="CPUAlert" | eval severity=2 
| eval description="CPU on ". host ." is at ". CPU 
| table time, severity, node, resource, type, description

Under Schedule and alert, click Schedule this search.
Select values for Schedule type, Run every, Expiration, and Severity according to your alert requirements.
Under Alert actions, check the box next to Enable under Run a script.
Enter the name of the script in File name of shell script to run.
For an incident, enter snow_incident.py
For an event, enter snow_event.py
Click Save.

Please refer to the below document for detailed process

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...