Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Edit the display values for the ServiceNow API

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through display_value=false (extractions and Common Information Model (CIM) mappings) configurations. The best practice is to set display_value to all

Edit the display values for the ServiceNow API. The best practice is to set display_value to all, as it provides better performance. If you need to revert to the previous behavior of collecting the display values using lookups, and not directly from the API (setting the display_value to false), perform the following steps:

  1. Enable the saved searches to generate the mapping lookups.
  2. On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf.
  3. Copy the snow_default stanza from default/service_now.conf and add it to local/service_now.conf if it does not already exist.
  4. In the snow_default stanza in local/service_now.conf change the display_value=all parameter to display_value=false
  5. Save the file.
  6. Open or create a local/props.conf file. If you are using a single search head, open or create the file in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf. If you are using a search head cluster, create the props.conf file in the configuration bundle on the deployer: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_snow/local/props.conf.
  7. Follow the instructions provided in the default props.conf file under each affected stanza to create a set of FIELDALIAS statements, and then blank out a corresponding set of LOOKUP statements. For example: 
    [snow:incident]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-location = cmn_location_list_lookup sys_id AS location OUTPUTNEW latitude, longitude, full_name AS location_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW user_name AS assignment_user_username, name AS assignment_user_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS caller_id OUTPUTNEW user_name AS user, name AS name
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-incident_state_name =
FIELDALIAS-affect_dest = 
FIELDALIAS-assignment_user_name =
FIELDALIAS-name =

[snow:change_request]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name = 
FIELDALIAS-user =
FIELDALIAS-affect_dest =
FIELDALIAS-change_state_name =

[snow:change_task]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name =
FIELDALIAS-user =
FIELDALIAS-affect_dest =
FIELDALIAS-change_state_name =

[snow:problem]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS name, user_name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-problem_state = problem_state_lookup problem_state OUTPUTNEW problem_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name =
FIELDALIAS-name =
FIELDALIAS-affect_dest =
FIELDALIAS-problem_state_name =

[snow:em_event]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-severity_name = severity_lookup severity AS severity OUTPUTNEW severity_name AS severity_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-severity_name = " without quotes
FIELDALIAS-severity_name =
  8. Save the file.
  9. If you are running a search head cluster, push the configuration bundle to the cluster members by running the following command on the deployer: splunk apply shcluster-bundle. This restarts the search-head cluster members, if needed. If you are running a single search head, restart it manually.
  10. Restart your data collection node.
Last modified on 06 September, 2024
Enable saved searches for the Splunk Add-on for ServiceNow   About the commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters