Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use custom streaming commands for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes custom centralized streaming commands that allow you to create and update incidents and create events. These streaming commands are snowincidentstream and snoweventstream.

Before you can use these commands, see configure ServiceNow to integrate with the Splunk platform.

The streaming commands allow you to create or modify incidents and create events in ServiceNow, provided that you include the required arguments:

  • For incidents, these required arguments are:
    • account
  • For events, the required arguments are:
    • account
    • node
    • resource
    • type
    • severity.

See About the commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow for a table detailing all of the required and supported arguments.

You can use the custom streaming commands to update incidents only if they were created from the Splunk platform.

Searches that use the custom streaming search commands can create multiple events or incidents in ServiceNow. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents or events created in ServiceNow.

To use the custom fields in the snowincident command, you have to pass || separated key-value pairs of custom fields and values as part of --custom_fields argument in the command. All the parameters which are passed in the --custom_fields are needed to be configured first in the ServiceNow instance. Parameters passed in custom fields must be configured at ServiceNow Incident table, Splunk import set (x_splu2_splunk_ser_u_splunk_incident) table and appropriate transform map in ServiceNow. For example, u_affected_user and u_caller_id must be present in your ServiceNow incident table. It must be present in intermediate Splunk Import Set table (x_splu2_splunk_ser_u_splunk_incident table) and must be mapped in the appropriate transform map.

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95 | eval contact_type="email"
| eval ci_identifier=host | eval priority="1"
| eval category="Software" | eval subcategory="database"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| eval short_description="CPU on ". host ." is at ". CPU ." which is  \"too\" high."
| eval account="user1"
| snowincidentstream

The following example search closes the above incident for a configured ServiceNow account when CPU usage drops below 15.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU<15 | eval contact_type="email"
| eval ci_identifier=host | eval state="7"
| eval category="Software" | eval subcategory="database"
| eval short_description="CPU on ". host ." is at ". CPU. " which is  \"too\" high."
| eval account="user1"
| snowincidentstream

The following search creates an event in ServiceNow when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95 | eval account="user" | eval node=host
| eval resource="CPU" | eval type="CPUAlert" | eval severity=2
| eval description="CPU on ". host ." is at ". CPU ." which is  \"too\" high."
| eval ci_identifier="k1=v1||k2=v2"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| snoweventstream
Last modified on 12 December, 2023
PREVIOUS
Use alert-triggered scripts for the Splunk Add-on for ServiceNow
  NEXT
Use workflow actions for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters