Splunk Search

How to configure a lookup in Splunk Add-on for ServiceNow ?

Hemnaath
Motivator

Hi Team,

Got a request to configure a lookup called cmdb_ci_computer.csv that containing anything with subcategory of computer in a sourcetype=cmdb_ci_list? This should be configured under Splunk_TA_snow/local/savedsearch.conf.
Could please guide me how to create and configure this lookup.

thanks in advance.

0 Karma

p_gurav
Champion

Refer below doc and try to place lookup at specified position:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Lookups

0 Karma

Hemnaath
Motivator

Hi Gurav, thanks for your inputs, but I had gone through this document and created the below steps, could please guide me whether steps are correct .

1) Create a empty csv file under Splunk_TA_snow/lookup/cmdb_ci_computer.csv 
2) Create a Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_Computer
3) Map the eventtype in the /local/savedsearches.conf 
[ServiceNow CMDB CI Computer]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI Computer from ServiceNow
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_computer_lookup | dedup sys_id | outputlookup cmdb_ci_computer_lookup 
0 Karma

p_gurav
Champion

Do you want to create new lookup or use existing in query?

0 Karma

Hemnaath
Motivator

I want to use existing in the query

0 Karma

Hemnaath
Motivator

Hi Gurav, the below steps helped me to get the required output.

Procedure :

1) First executed a simple search command to filter the sourcetype containing only with the field values called Computer from the seleclted field=subcategory

    sourcetype=snow:cmdb_ci_list subcategory=Computer

2) Created a Eventtype in the props.conf with the sourcetype=snow:cmdb_ci_list subcategory=Computer along with other exesisting eventtype in the Splunk_Ta_Snow app

     Eventtype [snow_cmdb_ci_Computer]
     search = sourcetype=snow:cmdb_ci_list subcategory=Computer

3) Created a Savedsearch query with the newly created eventtype to filter the events contains anything with subcategory of "Computer". 

[ServiceNow CMDB CI SUB COMP List]
disabled = 0
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 0 * * * *
description = Saved search which populates the CMDB CI contains anything with subcategory of "Computer"
dispatch.earliest_time = 0
dispatch.latest_time = now
display.general.type = statistics
display.visualizations.show = 0
enableSched = 1
request.ui_dispatch_app = search
request.ui_dispatch_view = search
search = eventtype=snow_cmdb_ci_Computer | dedup sys_id | fields - _bkt, _cd,_indextime,_kv,_raw,_serial,_si,_sourcetype,_subsecond, punct, index, source, sourcetype  | inputlookup append=t cmdb_ci_list_lookup | dedup sys_id | outputlookup cmdb_ci_list_lookup

4) After finishing with the above steps the app was pushed to the search head cluster environement via deployer. 

 /opt/splunk/bin
./splunk apply shcluster-bundle --answer-yes -target https://splunkinstancename:8089 -auth admin:password 

5) We are able to see the required output in splunk with the events containing the field values called Computer from the seleclted field=subcategory.
0 Karma

Hemnaath
Motivator

Hi All,

Can anyone throw me some lights on this, I want to know to how to configure a lookup in splunk_TA_servicenow.

0 Karma

Hemnaath
Motivator

Hi All,
Can anyone guide me on this

0 Karma

Hemnaath
Motivator

Hi All,

Any help will be much appreciated.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...