Hello,
I have installed Service Now Add on App, my service now administrator has followed all the steps needed from the Service now side.
Using the alert action with ServiceNow incident integration works fine and creates incidents in service now. However, we have limited fields that we can define in the ServiceNow alert action like we cannot define field IMPACT and Servicenow auto assigns the impact.
So I wanted to use a custom generating command that gives me flexibility to generate the SeviceNow incident with additional fields as parameters. Here is my search (My alert condition if servers exceed > 90% cpu) raise ServiceNow incident
index=os host=* sourcetype=cpu cpu=all NOT(
[| inputlookup servers.csv
| where status="decom" OR status="complete blacklist" OR status="DC Outage"
| rename target as host
| table host])
| eval PercentCPULoad = 100 - pctIdle
| stats min(PercentCPULoad) as PercentCPULoad by host
| eval hostname=upper(mvindex(split(host,"."),0))
| where PercentCPULoad >= 90
| eval timestamp=strftime(now(),"%Y-%m-%d %H:%M:%S")
| eval Impact = 1
| snowincident --account "ServiceNow Dev" --category "Hardware" --correlation_id timestamp.":".hostname --impact 1 --state 1 --contact_type "Email" --short_description "Nishad - Splunk Created - CPU utilization is".PercentCPULoad." on ".hostname." Threshold - 90 <= ".PercentCPULoad." <=100" --assignment_group "Tools Testing Group" ci_identifier=hostname
However, this doesn't work and I get below error message.
*Error in 'snowincident' command: This command must be the first command of a search. *
As per Splunk documentation, there certain steps that we need to carry on the ServiceNow server to integrate with Splunk, my SNOW administrator confirmed that he has followed all the steps as per the below documentation.
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithSplunkEnterprise
Can you please suggest what is missing, for searching I am using the SNOW_TA app the command 'snowincident' is not detected.
... View more