All Apps and Add-ons

Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident?

_gkollias
SplunkTrust
SplunkTrust

Hi All!

I am looking for best practices around how to update the Splunk Add-on for ServiceNow to populate custom mandatory fields in an Incident only. To create a new parameter (e.g. action.snow_incident.param.<custom field>), the most notable files to update that I can see are the following:

  1. snow_incident_base.py
  2. snow_incident_m.py
  3. eventgen.conf
  4. updating/ creating CSVs under /samples (may not be necessary, but would update here to be consistent)
  5. snow_incident.html for front end interaction with workflow actions

Are there other scripts or.conf files out there that need to be updated in order to make this successful on either the Splunk or ServiceNow side?

Thanks in advance!

1 Solution

_gkollias
SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

View solution in original post

_gkollias
SplunkTrust
SplunkTrust

The answer to my question is to use snowincidentstream command. For a list of all commands, please review this documentation.

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

I worked with a member of our internal SNow team, and we mapped values in Splunk to custom fields in the Incident. Then, we added the respective SNow arguments in the SPL - this left us with a lot of flexibility to add more fields than there are in the alert action UI! I highly recommend this - here are the docs with search examples:

https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usestreamingcommands

SplunkRules

mreynov_splunk
Splunk Employee
Splunk Employee

Integration works as follows: when incident data hits SNOW, it is first entered into an interstitial table "Splunk Incident".
Therefore to make this work you will need to adjust that table definition on the SNOW side. (This is part of the "Splunk Integration" SNOW app.
Then you will need to change a few files, depending on the type of action you want to use (alert has custom UI, for example).

With the above said, let me ask you this:
- can you include this data in the description field?
- can you set these fields using custom workflow on the SNOW side?

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hi! The answer should be yes to both of your questions.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Trying to help but out of my knowledge realm. Was there no good documentation on this type of thang? Or was there a specific docs page that got you close that's worth highlighting for context?

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Nah, aint no thang. This page is helpful but doesn't quite get me there with customizing:

http://docs.splunk.com/Documentation/AddOns/latest/ServiceNow/Usecustomalertactions

What I have listed above is almost there. The behavior I see after adding to the above scripts and files is - Incidents are created, but seem to be stored behind the scenes. What I mean by this is after I revert back to the orig scripts, all of the INC that were created using the new ones appear in Service-Now. I poked around in the Splunk App for ServiceNow, but I don't see anything that appears to need updating for populating custom fields, although I may have overlooked something.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Cool. Thanks for adding that context and what helped. Lemme see what other eyes I can get on this.

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Hey - did you happen to hear back from anyone on this?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Peek at the response from @mreynov. There's no one more qualified 😉

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...