About the commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow
The Splunk Add-on for ServiceNow allows Splunk administrators or users with the
admin_all_object capability to use the following features to create incidents and events in your ServiceNow instance:
- custom generating search commands
- custom alert actions
- alert-triggered scripts
- custom streaming search commands
You can also update the incidents that you created from the Splunk platform. Your ServiceNow administrator must upload the Splunk Integration application and configure integration with your Splunk platform instances.
You can only use these commands, alert actions, or alert-triggered scripts to update incidents created in the Splunk platform, not for incidents created in ServiceNow.
Supported arguments for incidents
Three of the four incident-creation methods support the same search arguments:
Custom alert actions offer a subset of these arguments. See Use custom alert actions for details.
The following table describes each argument ServiceNow supports for incident creation or updates.
||Yes||Quoted string||N/A||Account for which the incident is to be created|
||No||Quoted string||N/A||The category of the incident.|
||No||Quoted string||N/A||A brief description of the incident.|
||No||Quoted string||N/A||The method by which the incident was reported.|
||No||Number||3||The urgency of the incident. For example: |
1 - High
||No||Quoted string||""||The subcategory of the incident.|
||No||Number||4||The state of the incident. For example: |
1 - New
||No||Quoted string||""||The location of the incident.|
||No||Number||3||The impact value of the incident. For example: |
1 - High
||No||Number||4||The priority of the incident, determined by the impact and urgency values.|
1 - Critical
||No||Quoted string||""||The name of the assignment group associated with the incident.|
||No||Quoted string||The username of the ServiceNow user account used for integration.||Deprecated. You can specify a value for this parameter when creating an incident, but it has no effect.|
||No||Quoted string||""||The name or ID of a configuration item in your network. If you specify a configuration item name and it is not unique, the ServiceNow API picks one of the matching configuration items.|
||No||Quoted string||""||Comments about the incident.|
||No||URL||""||Customizable link to your Splunk platform search head, useful for providing a direct link back to the event containing the data relevant to the incident. The Splunk platform supplies a deep link for this field if you are creating an incident using the |
||No||UUID||UUID||A unique ID to support third-party application integration. It should only consist of alphanumeric characters, underscore (_), and hyphen(-) in its value. Leave blank to allow the Splunk Add-on for ServiceNow to generate a unique ID for you.|
||No||Quoted string||N/A||The custom fields which are configured at the ServiceNow Instance.
You can pass the custom fields and their values in the
||No||URL||Link to the search query that created the incident.||The URL that will be populated in the Splunk Drilldown button in the ServiceNow incident UI|
Update behavior for incidents
The search commands, custom alert actions, or alert-triggered scripts included in this add-on can be used to update incidents that you previously created in the Splunk platform.
- You must supply the
accountto which the incident pertains as well as the
correlation_idassigned to the incident, in addition to the three recommended arguments (
- The value of
accountmust match one of the accounts configured on the Configuration page of the Splunk Add-on for ServiceNow.
- The value of the three recommended arguments does not need to be identical to the value you supplied when creating the incident. Thus, you can update the values of these arguments as part of your incident update.
- You do not need to provide the optional arguments
ci_identifierwhen you update an incident that you previously created with values supplied for those fields. You can update the values of these arguments as part of your incident update.
Supported arguments for events
Three of the four event-creation methods, the custom generating search command, custom streaming search command, and alert-triggered script, support the same search arguments. Custom alert actions offer a subset of these arguments. See Use custom alert actions for details.
The following table describes each argument ServiceNow supports for event creation. Note that events cannot be updated from the Splunk platform once they are created.
severity are required.
||Yes||Quoted string||N/A||Account for which the event is to be created|
||Yes||Quoted string||N/A||The node, formatted to follow your organization's ITIL standards and mapping. If the node value matches a CI with the same host name, the event is automatically assigned to the matching CI.|
||Yes||Quoted string||N/A||The resource, formatted to follow your organization's ITIL standards and mapping. For example, |
||Yes||Quoted string||N/A||The type, formatted to follow your organization's ITIL standards and mapping. For example, |
||Yes||Number||N/A||The severity associated with the event.|
0 - Clear
||No||Quoted string||N/A||Deprecated. You can specify a value for this parameter when creating an event, but it has no effect. The source is set to |
||No||Time||The time the event was created.||The timestamp of the event in UTC time in "YYYY-MM-DD hh:mm:ss" format.|
||No||Quoted JSON string||N/A||JSON string that represents a configuration item in your network.|
||No||Quoted string||""||You can use this field to supply the URL of your Splunk search head. When you use the |
||No||Quoted string||N/A||A brief description of the event.|
If you include a URL using the
additional_info argument, the search command or script wraps the URL in a JSON format dictionary and sends it to ServiceNow to include as "Additional Information" for the event. From ServiceNow, you can navigate back to the Splunk platform. ServiceNow also assigns a correlation ID and stores this information in the '''Additional Information''' field.
The following table describes the available commands and scripts, with a usage summary. Follow the links in each row for detailed information and examples.
|Method||Usage||Resulting tickets||Special requirements|
||Create and update single ServiceNow incidents from the Splunk search interface. This returns all the information for the incident, including the Incident Number from the integration table
||Create and update a single ServiceNow incident from the Splunk search interface. This returns all of the information for the incident, including the Incident Number and Incident Link from the Incident table.||1||None|
||Create and update single or multiple ServiceNow incidents from saved searches or the Splunk search interface.||1 or more||None|
||Create and update single or multiple ServiceNow incidents from Splunk alerts using an alert-triggered script.||1 or more||None|
||Create single ServiceNow events from the Splunk search interface.||1||Requires Event Management plugin|
|ServiceNow Event Integration alert action||Create single or multiple ServiceNow events using an alert action.||1 or more||Requires Splunk platform 6.3.X or later and Event Management plugin|
||Create single or multiple ServiceNow events from saved searches or the Splunk search interface.||1 or more||Requires Event Management plugin|
||Create single or multiple ServiceNow events from Splunk alerts using an alert-triggered script.||1 or more||Requires Event Management plugin|
The Splunk Add-on for ServiceNow supports auto-creation of incidents from Critical events.
When a Splunk platform user creates a ServiceNow event using a custom generating search command, a custom streaming search command, or an alert-triggered script, and the event has a severity of 1 ("Critical"):
- ServiceNow creates a corresponding incident automatically.
- ServiceNow looks up the URL in the
additional_infofield of the event. If a URL is provided, ServiceNow makes it available via the Splunk Drilldown button in the incident.
- ServiceNow generates a UUID for the event, stores it in the
additional_infofield, and assigns the corresponding incident the same correlation ID.
For example, if you enter the following generating search:
| snowevent --account "user1" --node "localhost" --resource "CPU" --type "Virtual Machine" --severity 1 --additional_info "https://localhost:8000" --description "Something bad happened"
ServiceNow automatically creates an incident with the following parameters:
- Splunk Drilldown URL: https://localhost:8000
- Correlation ID: Generated randomly
- Short description: Virtual Machine: localhost (CPU) - Something bad happened
- Category: Inquiry/help
- Contact type: Phone
Troubleshoot the Splunk Add-on for ServiceNow
Use custom generating search commands for the Splunk Add-on for ServiceNow
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released