Solved: How to get correctly group_assignment_name for Inc...

skender27 · ‎07-08-2015

Hi,

I am using the app and the add-on ServiceNow Event Management for Splunk 6.2.3.
It is working fine, but I get as the assigned group name the sys_id unique of the group in ServiceNow to which the incident has been assigned (so I get hsgsjdklfkshagsgdj instead of the readable group name).
I checked the sys_user_group_list_lookup.csv file under /lookup directory in Splunk, but I do not see any such field...

Anyone has tried the same thing?

Thanks,
Skender Kollcaku

skender27 · ‎07-08-2015

Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

state=7 means that incident has been closed!

Thanks anyway,
Skender

View solution in original post

johngut · ‎05-03-2016

Did you ever find an answer for this issue?

skender27 · ‎07-08-2015

Ok.
After I studied a lot the lookup tables and csv files included with the add-on,
I corrected it by doing so:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group_name!="", assignment_group_name, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

state=7 means that incident has been closed!

Thanks anyway,
Skender

skender27 · ‎07-08-2015

In fact, in the illustration you see two panels of what I get from the dashboard of the incidents:
Instead of the unreadable code (which is the sys_id) I'd need the real name of the group to which the incident was assigned...

I hope it is clear the problem occuring to me.

Thanks in advance,
Skender

skender27 · ‎07-08-2015

...and here is the search used to produce this dashboard:

eventtype=snow-incident| dedup sys_id | search state=7 | eval closureTime=(strptime(closed_at,"%Y-%m-%d %H:%M:%S")-strptime(opened_at,"%Y-%m-%d %H:%M:%S"))/3600 | eval assignment_group_name = if( assignment_group!="", assignment_group, "Unassigned" ) | chart avg(closureTime) by assignment_group_name limit=7

mgranger1 · ‎07-28-2017

I'm having the same issue for lots of fields within this app. Is there a way to do a dynamic "lookup" based on the sys_id? Particularly for fields like:

assigned_to
assignment_group
cmdb_ci
opened_by
requested_by
u_category_list
u_requesting_group
u_user

These would be incredibly useful fields IF we could actually read them in a meaningful way.

surekhasplunk · ‎10-17-2016

for me eventtype=snow-incident itself doesn't return me any data. Please help

How to get correctly group_assignment_name for Incidents coming from ServiceNow, instead of the sys_id of the group name in Splunk?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...