Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Use custom streaming commands for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes custom centralized streaming commands that allow you to create and update incidents and create events. These streaming commands are snowincidentstream and snoweventstream.

Before you can use these commands, see configure ServiceNow to integrate with the Splunk platform.

Like the custom generating search commands and the alert-triggered scripts, the streaming commands allow you to create or modify incidents and create events in ServiceNow, provided that you include the required arguments. For incidents, these required arguments are category, short_description, and contact_type. For events, the required arguments are node, resource, type, and severity.

See About the commands and scripts for a table detailing all of the required and supported arguments.

You can use the custom streaming commands to update incidents only if they were created from the Splunk platform.

Unlike the custom generating search commands, but similar to the custom alert actions and the alert-triggered scripts, searches using the custom streaming search commands might create multiple events or incidents in ServiceNow. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents or events created in ServiceNow.

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval contact_type="email" 
| eval ci_identifier=host | eval priority="1" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| snowincidentstream

The following example search closes the above incident in ServiceNow version Eureka when CPU usage drops below 15.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU<15 | eval contact_type="email" 
| eval ci_identifier=host | eval state="7" 
| eval category="Software" | eval subcategory="database" 
| eval short_description="CPU on ". host ." is at ". CPU 
| snowincidentstream

The following search creates an event in ServiceNow when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now 
| stats avg(CPU) as CPU last(_time) as time by host 
| where CPU>=95 | eval node=host | eval resource="CPU" 
| eval type="CPUAlert" | eval severity=2 
| eval description="CPU on ". host ." is at ". CPU 
| snoweventstream
PREVIOUS
Use alert-triggered scripts for the Splunk Add-on for ServiceNow
  NEXT
Use workflow actions for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters