How itsi_notable_event_external_ticket lookup is b...

vsskishore · ‎09-02-2022

We have enabled Bidirectional correlation search for Service now in our ITSI, unfortunately itsi_notable_event_external_ticket lookup is not updating proper values. I couldn't find the saved search which is used to update the lookup to troubleshoot further.
Can some one tell me how itsi_notable_event_external_ticket lookup is being updated ?

michael_bates_1 · ‎02-21-2023

The lookup itsi_notable_event_external_ticket is updated when ITSI creates the external ticket.
If you search the audit records

`itsi_notable_audit_index` sourcetype=itsi_notable:audit

you will should, if the NEAP is creating the ticket, see events with fields like

   action_name: snow_incident
   activity: Action="snow_incident" executed.
   activity_type: Action Executed for Episode.

One of the fields is the search_command. Towards the end of the string you should see something like

sendalert "itsi_event_action_snow_wrapper" (I am using ServiceNow)

It is this alert wrapper that raises the ticket with SNOW, and updates the kvstore lookup with the returned values.

How itsi_notable_event_external_ticket lookup is being updated?

administration

configuration

other

troubleshooting

using ITSI

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...