Splunk Search

How do I change the value of a field if a condition occurs?

diogenesloazeve
Engager

Hi community!

I'm using Splunk Entreprise to create dashboards with my client's ServiceNow incident information.

  1. My company only look at tickets from assignment_group A.
  2. So, I have a ticket X that belongs to assignment_group A with Status "New".
  3. However, this ticket changed to assignment_group B and is no longer serviced by my company. This will result in a second ServiceNow extraction, that ticket will not appear.

So, I need to create a logic so that when this happens, Splunk changes the Status of ticket X to "Reassigned".

Does anyone know how to do this?
Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How does Splunk know this has happened?

---
If this reply helps you, Karma would be appreciated.
0 Karma

diogenesloazeve
Engager

Hi richgalloway!

The ticket X will already be in the index, as it entered as assignment_group A and Status New.
However, as ticket X will not appear in the next ServiceNow extraction, Splunk should only change the Status to Reassigned.

Is it possible to create such a rule?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure my question was answered so I'll re-phrase it. What data does Splunk see that tells it the ticket was re-assigned?

---
If this reply helps you, Karma would be appreciated.
0 Karma

diogenesloazeve
Engager

In fact, there is no field to indicate this.
Basically, if I have a ticket in the index and it no longer appears in the new extractions, it must change the status to reassigned

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Still not clear on the detection method, but I want to ask: Do you expect the change the indexed data to reflect the new status? If so, that is not possible. Splunk does not allow indexed data to be changed at all.

---
If this reply helps you, Karma would be appreciated.
0 Karma

diogenesloazeve
Engager

Understood. So is there a way that when this happens, Splunk will create a new ticket with the same information and just change the status to reassigned?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

And we're back to where we started. "when this happens" really needs to be a discrete event that Splunk can detect and then act on.

---
If this reply helps you, Karma would be appreciated.
0 Karma

diogenesloazeve
Engager

And is there a way to make Splunk detect an event like this?

0 Karma

shivanshu1593
Builder

That's what Rich is asking. my friend. Helping to clarify his question more, when the incident, let's name it INC001 for our example, gets reassigned from assignment_group A to assignment_group B in ServiceNow, does ServiceNow send some sort of event to Splunk, saying that INC001 has been reassigned to a new group? If so, only then we can conjure up some SPL to help you change the assignment. If not, then it's not possible, cos there's no other way for Splunk to know if the assignment group of the Incident was changed.

Hope this helps you to clarify the doubts here.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

so, will Splunk know that there has been an extraction that does not contain this incident? For instance, can you find the most recent extraction date, and if there is no record for that incident with that extraction date, then create a new record with the status as "reassigned"?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...