Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Use custom generating search commands for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes the custom generating search commands snowincident and snowevent. Before you can use these commands, see configure ServiceNow to integrate with the Splunk platform.

Use the snowincident custom generating search command

The snowincident custom generating search command creates or updates an incident in ServiceNow.

When you execute the command, Splunk software displays a table with information about the incident, including an Incident Link column containing a URL that you can use to navigate to the incident in ServiceNow.

You can also use this command to update existing incidents created by Splunk software. To update existing incidents, run the same search that you would run to create a new incident, but set a new value for the arguments that you want to update. Also if you are using ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London or Madrid supply the account and correlation_id assigned to the incident, in addition to the three mandatory arguments, category, short_description, and contact_type. The values of the mandatory arguments do not need to match the original values when you created the incident.

You cannot use this command to update incidents created in ServiceNow, only those created from the Splunk platform.

Run | snowincident --help to show the usage of this command. Arguments in brackets are not required.

usage: [-h] --account ACCOUNT --category CATEGORY --short_description
       SHORT_DESCRIPTION --contact_type CONTACT_TYPE
       [--urgency URGENCY] [--subcategory SUBCATEGORY]
       [--state STATE] [--location LOCATION]
       [--impact IMPACT] [--priority PRIORITY]
       [--assignment_group ASSIGNMENT_GROUP]
       [--opened_by OPENED_BY]
       [--ci_identifier CI_IDENTIFIER]
       [--comments COMMENTS] [--splunk_url SPLUNK_URL]
       [--correlation_id CORRELATION_ID]

The arguments comments, splunk_url, and correlation_id are supported for ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London and Madrid. The argument opened_by is deprecated in this release, and providing a value for it will have no effect.

See About the commands and scripts for a table detailing each of these arguments.

Example snowincident command that creates a new incident in ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London or Madrid

The following search creates an incident in ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London or Madrid, using the three additional arguments available only in those versions.

| snowincident --account "user" --category "Software" --contact_type "Phone"
--subcategory "Database" --short_description "CPU usage is high"
--ci_identifier "8214eb87c0a8018b7bd0919758dcc3c2"  --priority 1 --splunk_url "http://localhost:8000"
--comments "This is urgent and blocking, can somebody take a look ?"
--correlation_id "de305d51-15b4-411b-adb2-fb6b9e546013"

Example snowincident command that updates an existing incident in ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London or Madrid

The following search updates the incident created in the previous section by setting the state to 7 to close the incident. This search is for ServiceNow version Helsinki, Istanbul, Jakarta, Kingston, London or Madrid.


| snowincident --account "user" --category "Software" --contact_type "Phone" --short_description
"CPU usage is high -- new machine" --ci_identifier "9561ec54c0c0090e7db8579190dcd2d1"
--comments "Turns out this problem was on a different configuration item than we originally thought.
I corrected that in the ticket and I took care of the problem – everyone can go back to sleep now."
--state 7 --correlation_id "de305d51-15b4-411b-adb2-fb6b9e546013"

account is a mandatory parameter and must match one of the accounts configured on the Configuration page of the Splunk Add-on for ServiceNow. The correlation_id matches the original incident. The mandatory arguments category, contact_type, and short_description are present, but the values do not necessarily need to match the original incident. In this example, the short_description, the ci_identifier, and the state are all updated via this search.

Use the snowevent custom generating search command

The snowevent custom search command creates an event in ServiceNow.

When you execute the command, Splunk software displays a table with information about the event, including an Event Link column containing the URL that you can use to navigate to the event in ServiceNow.

Run | snowevent --help to view the usage, shown below. Arguments in brackets are not required.

usage: [-h] --account ACCOUNT --node NODE --resource RESOURCE --type TYPE
            --severity SEVERITY [--source SOURCE]
            [--time_of_event TIME_OF_EVENT]
            [--ci_identifier CI_IDENTIFIER]
            [--additional_info ADDITIONAL_INFO]
            [--description DESCRIPTION]

The argument source is deprecated. You can specify a value for this parameter when creating an event, but it has no effect. In all versions, the source is set to Splunk-.

See About the commands and scripts for a table detailing each of these arguments.

Example of a snowevent command that creates a new event

The search below creates a new event in ServiceNow.

| snowevent --account ACCOUNT --node "localhost" --resource "CPU" --type "Virtual Machine" 
--severity 3 --additional_info "https://localhost:8000" 
--description "CPU usage is high"
PREVIOUS
About the commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow
  NEXT
Use custom alert actions for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters