I have below output from the splunk querry.
Hostname INC Number Urgency Time_CST Description
1 CMPS3 INC000013 3-Medium 03/31/20 09:22:31
2 USBTNBTRF INC000014 3-Medium 03/31/20 08:31:44
3 GQPCW INC000015 2-High 03/31/20 08:28:43
I have the incident number in the table,
How i give a hyper link to those Incident number to my Icident management URL specific to the incident.
Code that I use:
index=itsm sourcetype=remedy_midtier *Incident_Number* *Host:* NOT *-VO* NOT *WSG* NOT *IPA* NOT *ADS* NOT *-SEC* NOT "*WLNSGW*" AND ("*-LAN*" OR "*-WAN*" OR "*-APN*") AND "Node is down"
| search $timetestD$ | rex field=_raw "Incident_Number\W(?<ITSM_Number>.*)\W\WIncident_Number\W.*"
| rex field=_raw "(Host:\s)(?<Hostname>[^\.<]+\.)" | eval Hostname = upper(Hostname)
| rex field=_raw "(Urgency:\s)(?<Urgency>\S-\D*[{lmwh}$])"
| rex field=_raw "(AlertID:\s)(?<AlertID>[^\D*]+)"
| rex field=_raw "(Open\s:\s)(?<Description>[^\.*]+)"
| top limit=10000 Hostname, ITSM_Number, _time , Urgency, AlertID, Description |eval Hostname=replace(Hostname,"[.]","")
| dedup ITSM_Number | rename Hostname as nodelabel
| eval Time_CST=_time
| sort -Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| rename nodelabel as Hostname, ITSM_Number as "INC Number", AlertID as "Alert ID"
| table Hostname, "INC Number",Urgency, Time_CST, Description | eval Description=substr(Description,1,150)
|sort -Time_CST
Here's the way to figure that out.
1) Take your incident number (INC000013) from the output, and go to your incident management system. Enter that incident number.
2) Next, take the URL from the browser and copy the whole URL to a text editor. Let's say it looks like this:
http://my.whole.url.com/somesystem/somefolder?&GRC=INC000013&fubar=no&something="xxx";
3) Take that entire url, and put it into some test SPL, then add any escape characters needed. Make sure it comes out the same when you run it as the original you copied.
| makeresults
| eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=INC000013&fubar=no&something=\"xxx\""
4) Now do the same thing, but put the incident number in a different field and concatenate them to build the URL. Use the same name for that incident field as you are using in your other program.
| makeresults
| eval incident="INC00013"
| eval myURL = "http:\/\/my.whole.url.com\/somesystem\/somefolder?&GRC=".incident."&fubar=no&something=\"xxx\""
5) When that last line is making the exact URL you want, take the last line and put it into your other SPL, and you have what you want.