Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Use alert-triggered scripts for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow supports automatic incident and event creation and incident update from scripts triggered by alerts.

Before you can use these scripts, see configure ServiceNow to integrate with the Splunk platform.

Depending on the search that you run, the alert-triggered scripts might create multiple events or incidents in ServiceNow. This can occur if the search string that you include in the alert logic returns multiple events. The number of events returned by a search in your alert equals the number of incidents or events created in ServiceNow.

Create an incident or event from an alert using the snow_incident.py or snow_event.py script

You can create an incident or event based on an alert.

  1. In Splunk Web, click Settings > Searches, Reports, and Alerts.
  2. Click New.
  3. Set the Destination app to Splunk Add-on for ServiceNow (Splunk_TA_snow).
  4. Enter a Search name that describes the alert you want to create.
  5. Enter a Search that meets the following criteria:
    • To create an incident, the search must include the account, category, short_description, and contact_type arguments. account is required to identify the ServiceNow instance on which incident is to be created. The other three arguments are required by ServiceNow to create an incident. The Splunk platform passes the arguments to the alert result to trigger the script.
    • To create an event, the search must include the account, node, resource, type, and severity arguments. account is required to identify the ServiceNow instance on which event is to be created. The other arguments are required by ServiceNow to create an event. The Splunk platform passes the arguments to the alert result to trigger the script.
    • The search can include any of the optional arguments supported by ServiceNow incident or event creation. See About the commands and scripts for a table detailing each of these arguments.
    • The search must be in tabular format.

    The following search is an example that demonstrates how to trigger the script to create an incident when CPU usage is 95 or higher.
    sourcetype="CPURates" earliest=-5m latest=now 
    | stats avg(CPU) as CPU last(_time) as time by host 
    | where CPU>=95 | eval contact_type="email" 
    | eval ci_identifier=host 
    | eval priority=1 | eval category="Software" 
    | eval subcategory="database" 
    | eval short_description="CPU on ". host ." is at ". CPU 
    | eval account="user1"
    | table account, category, subcategory, short_description, contact_type, ci_identifier, priority
    


    The following search is an example that demonstrates how to trigger the script to create an event when CPU usage is 95 or higher:

    sourcetype="CPURates" earliest=-5m latest=now 
    | stats avg(CPU) as CPU last(_time) as time by host 
    | where CPU>=95 | eval node=host | eval resource="CPU" 
    | eval type="CPUAlert" | eval severity=2 
    | eval description="CPU on ". host ." is at ". CPU 
    | eval account="user1"
    | table account, time, severity, node, resource, type, description
    
  6. Under Schedule and alert, click Schedule this search.
  7. Select values for Schedule type, Run every, Expiration, and Severity according to your alert requirements.
  8. Under Alert actions, check the box next to Enable under Run a script.
  9. Enter the name of the script in File name of shell script to run.
    • For an incident, enter snow_incident.py
    • For an event, enter snow_event.py
  10. Click Save.

Update an incident from an alert using the snow_incident.py script

Follow the same procedure to update an incident from an alert as you would to create an incident from an alert.

account is required, and is used to identify the ServiceNow instance on which incident is to be updated. The argument correlation_id is required to update an existing incident.

You can update incident using an alert-triggered script only if you created the incident from the Splunk platform. You cannot update incidents created in ServiceNow.

The following example search demonstrates how you can trigger the script to update a previously-created incident when CPU usage drops below 15. This search is for version Eureka.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU<15 | eval contact_type="email" 
| eval ci_identifier=host | eval state="7" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| eval account="user1"
| table account, category, subcategory, short_description, ciIdentifier, host
PREVIOUS
Use custom alert actions for the Splunk Add-on for ServiceNow
  NEXT
Use custom streaming commands for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Thanks Gcato for writing to the Splunk documentation team (and for providing that helpful Splunk>Answers link!)

We are actively working on an update to the ServiceNow add-on, and I'll add this to the list of documentation enhancements for the upcoming release.

Myu splunk, Splunker
April 9, 2018

The alert-triggered scripts only worked for me when configured under the context of the Splunk_TA_snow app (Splunk v6.4.8 & Splunk_TA_snow v2.8.0).

See the following Splunk answers for a solution to have the alert-triggered scripts work under your own app.

https://answers.splunk.com/answers/597366/problem-with-alert-triggered-scripts-for-serviceno.html?childToView=637782#answer-637782

Gcato
April 6, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters