Archive

In the Splunk Add-on for ServiceNow, how do set extra custom fields when creating an incident? Specifically updating the description field.

chrisyounger
SplunkTrust
SplunkTrust

My ServiceNow instance has custom fields on the Incident form that I need to set when raising an incident from Splunk using the official TA.

How can I do this?

1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:

For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.

1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py and near the top there is a list of all fields, add the new field like so:

alt text

2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py and add the new field in two places like so:

alt text

3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html and add a new UI element for the field:

(note due to the attachment limit, see the next comment on this question)

View solution in original post

kipkip
Loves-to-Learn

After making changes/editing to step 1,2,3 files.  what is the step by step way to see the changes  as indicated in the picture above?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

third image:

alt text

fourth image:

alt text

0 Karma

hmaldonado
Explorer

This post is invaluable! Many thanks for this article.

Regards,
Hans

0 Karma

jscraig2006
Communicator

Excellent! Although your step 1 and step 2 images didn't post. I know it's been over several months since this post. Would you be able to upload step 1 and 2 images? Thanks

0 Karma

kishor_pinjark1
Explorer

Thank you 🙂

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

(continued from other answer)

alt text

4) Now restart your search head and you should see the new field in the alert action UI:

alt text

5) Trigger the alert to make the REST call to ServiceNow. You should now go see your friendly ServiceNow administrator and ask them to please updating the Mapping in the Splunk transform table to map the new field to the equivalent field on the Incident form. Its a couple of clicks which hopefully they can do for you on the spot. I think the table with the mapping is x_splu2_splunk_ser_u_splunk_incident but if they already installed the app or updateset for you, then they should be able to find it pretty easily.

Hope this helps others, please upvote if it is useful to you!

ch1221
Path Finder

Thanks for posting all of this information.  I have made all of these changes and the ServiceNow admin has done the mapping, however when I try to adhoc invoke the incident creation I receive the following error:

""ServiceNow Incident Integration" could not be dispatched:
ModularActionException: Invalid parameter for adhoc modular action"

I've been struggling with this for days and cannot find a solution.  Any ideas?

0 Karma

kishor_pinjark1
Explorer

I am also not able to see above both images. Tried different browsers 😞

0 Karma

slander00
Explorer

Thank you for posting this I would like to give this a try. The two screenshots you added are not available. Can you try uploading them again?

Thank you.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

OK Done. I had to put them on a third-party site so hopeful corporate firewalls don't block them

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Unfortunately to achieve this you will need to make changes to the official TA. This isn't ideal becuase if you update the TA from Splunkbase in the future you will lose your changes. So keep this in mind before embarking, and ideally have some version control setup so you can easily track changes. That said, this is how you can add additional fields to the Splunk alert actions UI:

For this example I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the SHDeployer and push from there.

1) Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py and near the top there is a list of all fields, add the new field like so:

alt text

2) Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py and add the new field in two places like so:

alt text

3) Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html and add a new UI element for the field:

(note due to the attachment limit, see the next comment on this question)

reachmevivek
Loves-to-Learn Lots

The below steps will help you to add any custom fields of Service now TA latest app. The official TA app doesn’t come along with the description field, and we have to manually configure the same.

I will be adding a new field called "description". These changes should be made on the Search head. If you have a SHCluster then do it on the Deployer and push from there.

  • Edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_base.py and near the top there is a list of all fields, add the new field like below marked in Yellow.

reachmevivek_0-1687447664133.png

 

reachmevivek_1-1687447664137.png

 

  • Now edit the file ./etc/apps/Splunk_TA_snow/bin/snow_incident_m.py and add the new field in two places like shown below

reachmevivek_2-1687447664138.png

 

reachmevivek_3-1687447664140.png

 

  • Finally change the file ./etc/apps/Splunk_TA_snow/default/data/ui/alerts/snow_incident.html and add a new UI element for the field:

reachmevivek_4-1687447664142.png

 

 

0 Karma

krasimir_kv
Engager

Thank you, I managed to make it work on my Splunk instance thanks to you input.  This is really valuable article. 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...