Use custom streaming commands for the Splunk Add-on for BMC Remedy

The Splunk Add-on for Remedy includes four custom centralized streaming commands that let you create and update incidents:

When you pipe events to one of these streaming commands, the streaming command reads the piped events and then creates or updates incidents automatically in Remedy.

Before you can use these commands, set up the Splunk Add-on for BMC Remedy and update the required fields in the remedy_fields.conf file to match the required fields in your Remedy installation.

remedyincidentcreatestream streaming command

Like the remedyincidentcreate custom generating search command, the remedyincidentcreatestream streaming command lets you create incidents in Remedy, provided that you include the required arguments. The required arguments are listed in the [create_incident] stanza of the remedy_fields.conf file. See Specify required fields for incidents for information.

Because Remedy is highly customizable, when you run an incident create or update command from the Splunk platform, some fields in your Remedy incident may be populated based on form definitions and business rules set up in your Remedy system rather than the arguments supplied with the command.

To add any custom fields for incident creation as per the BMC Remedy ITSM setup, you must pass it as an argument in the | remedyincidentcreatestream command. Make sure fields are configured in your BMC environment and are present in WSDL.

Unlike the custom generating search commands, searches using the custom streaming search commands may create multiple incidents in Remedy. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents created in Remedy.

The following example search creates an incident when CPU usage is more than 95:

sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval First_Name="Mary"  | eval Last_Name="Mann"  | eval Impact="1-Extensive/Widespread" | eval Reported_Source="Fax" | eval Service_Type="User Service Restoration" | eval Status="Assigned" | eval Urgency="1-Critical" | eval Summary="CPU on ". host ." is at ". CPU | eval Custom_Test_Field="Test field" | remedyincidentcreatestream
 

remedyincidentupdatestream streaming command

Like the remedyincidentupdate custom generating search command, the remedyincidentupdatestream streaming command lets you update incidents in Remedy, provided that you include the required arguments. The required arguments are listed in the [update_incident] stanza of the remedy_fields.conf file. See Specify required fields for incidents for information.

Because Remedy is highly customizable, when you run an incident create or update command from the Splunk platform, some fields in your Remedy incident may be populated based on form definitions and business rules set up in your Remedy system rather than the arguments supplied with the command.

To add any custom fields for incident updation as per the BMC Remedy ITSM setup, you must pass it as an argument in | remedyincidentupdatestream command. Make sure fields are configured in your BMC environment and must be present in WSDL.

You can use the custom streaming command to update incidents only if they were created from the Splunk platform.

The following example search updates an incident when CPU usage is more than 95:

sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 |
| eval Incident_Number="INC000000000001" | eval Status="Assigned"| eval Summary="CPU on ". host ." is at ". CPU | eval Custom_Test_Field="Test field updated" | remedyincidentupdatestream

remedyincidentcreatestreamrest streaming command

Like the remedyincidentcreaterest custom generating search command, the remedyincidentcreatestreamrest streaming command lets you create incidents in Remedy, provided that you include the required arguments. The required arguments are listed in the [create_incident_rest] stanza of the remedy_fields.conf file. See Specify required fields for incidents for information.

Because Remedy is highly customizable, when you run an incident create or update command from the Splunk platform, some fields in your Remedy incident may be populated based on form definitions and business rules set up in your Remedy system rather than the arguments supplied with the command.

To use the custom fields in this command, you have to pass || separated key-value pairs of custom fields and values as part of --custom_fields argument in the command. All the parameters which are passed in the --custom_fields are needed to be configured first in the BMC Remedy instance. Parameters passed in custom fields must be present in BMC Remedy incident form.

There is a restriction on which fields can be provided directly. The fields which can be provided directly can be found here. In addition to the fields mentioned in the list, others need to be provided in the custom fields parameter.

Unlike the custom generating search commands, searches using the custom streaming search commands may create multiple incidents in Remedy. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents created in Remedy.

Make sure you pass the --account parameter, and with value as name of account configured on Rest Account page.

The following example search creates an incident when CPU usage is more than 95:

sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval First_Name="Mary"  | eval Last_Name="Mann"  | eval Impact="1-Extensive/Widespread" | eval Status="Assigned" | eval Urgency="1-Critical" | eval Description="CPU on ". host ." is at ". CPU | eval account = "Account_1" | eval custom_fields "customfield1=value1||customfield2=value2" | remedyincidentcreatestreamrest
 

remedyincidentupdatestreamrest streaming command

Like the remedyincidentupdaterest custom generating search command, the remedyincidentupdatestreamrest streaming command lets you create incidents in Remedy, provided that you include the required arguments. The required arguments are listed in the [update_incident_rest] stanza of the remedy_fields.conf file. See Specify required fields for incidents for information.

Because Remedy is highly customizable, when you run an incident create or update command from the Splunk platform, some fields in your Remedy incident may be populated based on form definitions and business rules set up in your Remedy system rather than the arguments supplied with the command.

To use the custom fields in this command, you have to pass || separated key-value pairs of custom fields and values as part of --custom_fields argument in the command. All the parameters which are passed in the --custom_fields are needed to be configured first in the BMC Remedy instance. Parameters passed in custom fields must be present in BMC Remedy incident form.

There is a restriction on which fields can be provided directly. The fields which can be provided directly can be found here. In addition to the fields mentioned in the list, others need to be provided in the custom fields parameter.

Unlike the custom generating search commands, searches using the custom streaming search commands may create multiple incidents in Remedy. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents created in Remedy.

Make sure you pass the --account parameter, and with value as name of account configured on Rest Account page.

The following example search creates an incident when CPU usage is more than 95:

sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval "Incident Number"="INC000000014106"  | eval Status="Assigned" | eval Description="CPU on ". host ." is at ". CPU | eval account = "Account_1" | eval custom_fields "customfield1=value1||customfield2=value2" | remedyincidentupdatestreamrest