Activity Feed
- Posted Default values for the fields in the create ServiceNow incident action in ITSI. on Splunk ITSI. 07-17-2023 07:49 AM
- Posted Re: Email notifications not sending search field data. on Splunk ITSI. 07-17-2023 07:47 AM
- Posted Re: Email notifications not sending search field data. on Splunk ITSI. 07-04-2023 04:52 AM
- Posted Re: Email notifications not sending search field data. on Splunk ITSI. 07-03-2023 08:50 AM
- Posted Why are Email notifications not sending search field data? on Splunk ITSI. 06-30-2023 03:34 AM
- Got Karma for Re: Using comparison logic to add / remove entries from a lookup table.. 02-23-2023 09:25 AM
- Posted Re: Using comparison logic to add / remove entries from a lookup table. on Splunk Search. 02-23-2023 06:57 AM
- Posted Re: Using comparison logic to add / remove entries from a lookup table. on Splunk Search. 02-17-2023 10:57 AM
- Posted Re: Using comparison logic to add / remove entries from a lookup table. on Splunk Search. 02-15-2023 07:33 AM
- Got Karma for Re: How to use comparison logic to add / remove entries from a lookup table?. 02-14-2023 08:55 AM
- Posted Re: How to use comparison logic to add / remove entries from a lookup table? on Splunk Search. 02-14-2023 08:41 AM
- Karma Re: Using comparison logic to add / remove entries from a lookup table. for richgalloway. 02-14-2023 08:41 AM
- Posted How to use comparison logic to add / remove entries from a lookup table? on Splunk Search. 02-14-2023 05:53 AM
- Karma Re: Can you remove multiple entries from a lookup table using a search? for isoutamo. 02-09-2023 05:41 AM
- Posted Re: Can you remove multiple entries from a lookup table using a search? on Splunk Search. 02-04-2023 06:22 AM
- Posted Can you remove multiple entries from a lookup table using a search? on Splunk Search. 02-01-2023 10:44 AM
- Posted Issues with the Splunk ServiceNow add-on- Not creating incidents? on All Apps and Add-ons. 10-12-2022 05:03 AM
- Posted Re: Nested comparisons (using AND / OR with IF / CASE functions)- How would I add a second condition? on Splunk Search. 09-23-2022 07:57 AM
- Karma Re: Nested comparisons (using AND / OR with IF / CASE functions)- How would I add a second condition? for richgalloway. 09-23-2022 07:57 AM
- Posted Nested comparisons (using AND / OR with IF / CASE functions)- How would I add a second condition? on Splunk Search. 09-23-2022 04:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-17-2023
07:49 AM
Hi, Is there a way to set default values for the fields in the configure action dialog for the Create ServiceNow Incident action from the Episode review page? When we select an episode and go to Actions --> Create ServiceNow Incident, is there a way to prepopulate some of the fields or do they can to be manually completed each time? We currently have NEAPs that automatically create ServiceNow Incidents but this scenario is for episodes that require manual actions before we create the incidents. Thanks.
... View more
Labels
- Labels:
-
using ITSI
07-17-2023
07:47 AM
Apologies for the delay. Thanks Seb.
... View more
07-04-2023
04:52 AM
Thanks for your reply Srauhala. I think I have found the issue. It appears to be an issue with the Splunk / ServiceNow bidirectional integration. We are trying to send an email after the SNow incident is closed. If I send an email notification when we create the SNow incident the fields are displayed correctly. It appears that the tokens lose their association to the episode after it's closed. Are you aware of anything special we have to do for this scenario? Thanks again.
... View more
07-03-2023
08:50 AM
Hi Seb, Yes the fields are present in the correlation results used by the NEAP. Do the fields needs to be from the raw event, or can I use fields extracted using eval statements? Thanks. Mark
... View more
06-30-2023
03:34 AM
Hi everyone,
We have action rules in the Notable Event Aggregation Policies that send email notifications. The emails are received but they do not include the specified search field data.
In the subject and body have some of the search fields that exist (and are populated) in the episodes in the following format:
$result.<searchfield>$
E.G. $result.Message$
But the data from the fields are not included in the emails we receive. We have tried several different fields with the same result. Any idea what we are missing here?
Thanks.
... View more
Labels
- Labels:
-
administration
-
configuration
-
using ITSI
02-23-2023
06:57 AM
1 Karma
I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows. Thanks anyways.
... View more
02-17-2023
10:57 AM
My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command. Is there a special way to identify that it is a field and not a value? Thanks.
... View more
02-15-2023
07:33 AM
Sorry one more question. Can I use a field name in the where command? | eval search_action="login" | where action!=search_action I gave it a try but it doesn't appear to work. Thanks.
... View more
02-14-2023
08:41 AM
1 Karma
Perfect, thank you for clarifying!
... View more
02-14-2023
05:53 AM
Hello again, my apologies for all of these questions.
I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.
I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.
If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.
I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.
E.G.
if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))
Is there a way to do this in a search?
Thank you for any assistance.
... View more
Labels
- Labels:
-
lookup
02-04-2023
06:22 AM
Thank you very much for this isoutamo! I will give it a try.
... View more
02-01-2023
10:44 AM
Hi, I have a lookup table that contains a list of sessions with permitted time frames (start day & time / end day & time). I am looking for a way to run a scheduled search to remove any expired entries from the lookup table (e.g. sessions with end days / times that have passed). Can multiple entries be removed from a lookup table via a search? I know I can append to a lookup table but not sure about deletion. Thanks!
... View more
Labels
- Labels:
-
lookup
10-12-2022
05:03 AM
Hi everyone,
I am experiencing some issues with the ServiceNow add-on not creating incidents in ServiceNow. I was able to successfully add the ServiceNow account in Splunk and confirmed that the correct permissions have been granted to the account in ServiceNow.
When I try to create an incident for an episode in Splunk ITSI I receive the error:
"Unable to run the action snow_incident. Make sure the action is configured correctly and has all required fields. See the Activity tab of the episode for more information."
I checked the Activity log and found the following errors:
"Action="snow_incident" failed with the following error: None search failed for actionId=search..."
"Search command "snowincidentalert" failed to return an incident ID or URL. Check the add-on configuration and input parameters."
I also ran the following search as per the Splunk documentation:
eventtype=snow_ticket_error
And I see the error:
"ERROR pid=1 tid=MainThread file=snow_ticket.py:_do_event:182 | Failed to connect to https://companydev.service-now.com/https://companydev.service-now.com, error=Traceback (most recent call last):..."
I'm not sure why the URL is listed twice in the error. I am able to connect and login to the URL with the account used in Splunk.
Has anyone else run into an issue like this before?
Thanks.
... View more
Labels
- Labels:
-
configuration
09-23-2022
07:57 AM
Thank you very much for this richgalloway! This worked perfectly.
... View more
09-23-2022
04:55 AM
Hi everyone,
I am attempting to implement some logic in my alert searches but I can't seem to figure out how to do it.
I have some event data coming into Splunk that I want to trigger a Service Now incident creation using a priority value based on the event severity and the host environment (test, stage, prod, DR).
I am using a case statement to assign a severity ID depending on the alert severity:
| eval severity_id=case(Severity=="critical", 6, Severity=="major", 5, 1==1, 3)
If I want to add a second condition to check the value of the hostEnvironment field before setting the severity ID what would be the best way to do this?
E.G. If the severity = "critical" AND hostEnvironment = test then severity ID = 3.
E.G. If the severity = "critical" AND hostEnvironment = prod then severity ID = 6
etc.
I am hoping there is a way to nest the comparison functions.
Thanks in advance.
... View more
09-14-2022
06:30 AM
1 Karma
Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.
... View more
09-13-2022
05:58 AM
I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.
I have a lookup CSV table (team_info) that looks like this:
team_id,active,group team_a,1,team a ops team_b,0,team b marketing team_c,1,team c netops
My search is extracting field using regex:
index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group
When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.
What am I doing wrong or missing?
Thanks in advance.
... View more
Labels
- Labels:
-
lookup
09-08-2022
06:49 AM
Thanks again yuanliu!
... View more
09-07-2022
04:05 AM
Thanks Yuanliu. Can the IF function be nested in the event we have multiple conditions? Regards, Mark
... View more
09-06-2022
08:49 AM
We have alert events coming into Splunk & Splunk ITSI that we open Service Now incidents for, but depending on the event contents the incident will need to be routed to different teams. An example scenario is, if the alert comes from server A then set the Service Now assignment group to team A, alerts from all other servers should go to team B. We will have many of these scenarios in our environment, what is the best way to do this? Thanks in advance!
... View more
11-08-2019
07:27 AM
Thanks for confirming!
... View more
11-08-2019
05:58 AM
Hi,
I am looking for a way to add some forwarders / clients to a server class (serverclass.conf) by using the CLI / command line.
Is this possible?
Thanks in advance.
... View more
