Splunk® IT Service Intelligence

Administration Manual

Download manual as PDF

Download topic as PDF

notable_event_actions.conf

The following are the spec and example files for notable_event_actions.conf.

notable_event_actions.conf.spec

# This file contains attributes and values for taking actions on episodes
# in Episode Review.
#
# There is a notable_event_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default/.
# To set custom configurations, place a notable_event_actions.conf in
# $SPLUNK_HOME/etc/apps/SA-ITOA/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles

GLOBAL SETTINGS


#  Use the [default] stanza to define any global settings.
#  * You can also define global settings outside of any stanza, at the top
#    of the file.
#  * Each conf file should have at most one default stanza. If there are
#    multiple default stanzas, attributes are combined. In the case of
#    multiple definitions of the same attribute, the last definition in the
#    file wins.
#  * If an attribute is defined at both the global level and in a specific
#    stanza, the value in the specific stanza takes precedence.

disabled = <boolean>
* Disable a notable event action by setting to 1.
* Optional.
* Default: 0

is_group_compatible = <boolean>
* Make an action available for episodes by setting to 1.
* Default: 1

is_bulk_compatible = <boolean>
* Make an action available for bulk episodes by setting to 1.
* Default: 0

run_bulk_action_iteratively = <boolean>
* If set to "1", bulk episode actions run iteratively rather than simultaneously.
* This value only takes effect if the 'is_bulk_compatible' setting is set to "1".
* For custom ServiceNow add-ons, this setting must be set to "1"  in order
  for bulk episode actions to function properly.
* Default: 0

[<action_name>]

* Each stanza represents an episode action. The action name
  is the type of action you want to configure.
* Options are email, script, itsi_sample_event_action_ping,
  itsi_event_action_link_ticket, snow_incident, and remedy_incident.

execute_in_sync = <boolean>
* If 1, ITSI executes the action synchronously.
* The UI notifies you when the action is truly complete, rather
  than requiring you to check back later to confirm.
* It is recommended that you set this value to 1 for an external
  ticket created by a Splunk custom search command or modular alert.
* Default: 0

execute_once_per_group = <boolean>
* If 1, ITSI executes the action exactly once in the case of a
  bulk action.
* In special cases (like if this alert action has 'type' set to "external_ticket"),
  the result of a refresh is associated with all the events in the group.
* Default: 0

type = <string>
* The type of action to take on the episode.
* Use this setting if you are creating a ServiceNow or Remedy ticket from
  an episode.
* The only supported value for this setting is "external_ticket",
  which creates a ticket in the external ticketing system you choose.
* If you set the value to "external_ticket", ITSI runs a refresh action
  right after execution.
* The attribute-value pairs below are applicable when 'type' is "external_ticket".

app_name = <string>
* The name of the app or app-on that runs the action.
* This settings is used to fetch the app version if the alt_command setting is configured.

alt_command_supported_version = <string>
* The version of the app or add-on that supports the alt_command setting, if configured.

alt_command = <string>
* A search command to execute the action instead of the specified action_name.

ticket_system_name = <string>
* The name of the external ticketing system in which to create the ticket.

relative_refresh_uri = <string>
* A relative URI for the search head where ITSI is installed.
* https://localhost:8089/ or something similar is prepended to the URI.
* ITSI constructs this link so you can navigate directly to the
  external ticket.
* ITSI issues a GET call on this URI and outputs JSON data.
* 'refresh_response_json_path' indicates the path to walk through the
  received JSON output.
* Do not change this from the default value or refresh will not work.

correlation_key = <string>
* Optional. The query parameter to be appended to 'relative_refresh_uri'.
* The parameter is also saved in the KV store collection that contains
  all created tickets.
* Do not change this from the default value or refresh will not work.
* Default: correlation_id

correlation_value = <string>
* The key in the raw notable event whose value to append
  to the refresh URI.
* If a 'correlation_key' exists, ITSI appends this value to the
  refresh URI instead.
* Do not change this from the default value or refresh will not work.
* Default: $result.event_id$

correlation_value_for_group = <string>
* The key in the episode whose value to append
  to the refresh URI.
* By default, ITSI uses the value corresponding to `itsi_group_id'.
* Do not change this from the default value or refresh will not work.
* Default: $result.itsi_group_id$

refresh_response_json_path = <string>
* Because the JSON output of 'relative_refresh_uri' can be nested and
  complex, this setting indicates the path to walk through the received output.
* Do not change this from the default value or refresh will not work.
* Default: entry.{0}.content

refresh_response_ticket_id_key = <string>
* After traversing the JSON path specified in 'refresh_response_json_path'
  and fetching a JSON blob, the key corresponding to the external ticket ID.
* Do not change this from the default value or refresh will not work.

refresh_response_ticket_url_key = <string>
* After traversing the JSON path specified in 'refresh_response_json_path'
  and fetching a JSON blob, the key corresponding to the external ticket URL.
* Do not change this from the default value or refresh will not work.

bulk_max = <string>
* The maximum number of episodes that this action can be executed on.
* Default: 25

send_first_event_only = <boolean>
* Flag to include only the first event when sending an episode to Phantom.
* If 1, ITSI sends the first event of an episode to Phantom. Otherwise, ITSI sends all events in the episode.
* Default: 1

splunk_itsi_get_notables_search_api_page_size=<int>
* The size of each page of results pulled from ITSI.
* Default: 50

phantom_artifacts_create_api_page_size=<int>
* The size of each page of results pushed to Phantom from ITSI.
* Default: 50

notable_event_actions.conf.example

# This is an example notable_event_actions.conf. Use this file to configure
# episode actions.
#
# To use one or more of these configurations, copy the configuration block
# into notable_event_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.  
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see
# the documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
#
# This example alert includes running a script, sending an email, and 
# creating an incident in ServiceNow.

[email]
disabled = 0

[script]
disabled = 0

[snow_incident]
disabled = 0
type = external_ticket
execute_in_sync = 1
execute_once_per_group = 1

ticket_system_name = ServiceNow
relative_refresh_uri = /servicesNS/nobody/-/service_now_incident/snow_incident

correlation_key = correlation_id
* Refresh URI now becomes
  /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id

correlation_value = $result.event_id$
* Assuming we are dealing with an event whose event_id is 'myevent1234',
  the URI now becomes:
  /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234
* Final URI with output_mode:
  /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234&output_mode=json
* If there is no 'correlation_key' specified, the final URI looks like:
  /servicesNS/nobody/-/service_now_incident/snow_incident/myevent1234?output_mode=json

correlation_value_for_group = $result.itsi_group_id$
* When operating on an episode, we will use the value corresponding to 'itsi_group_id'
  as the correlation_id. Similar to correlation_value mentioned above.

refresh_response_json_path = entry{0}.content
* Assuming the JSON response looks like the following:
     {
       ...
       "entry": [
         {
           ...
           "content": {
             "number": "INC0047495",
             "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234",
             ...
           }
         }
       ],
     ...
     }
  ... the path value is indicative of how to extract the ticket_id and ticket_url.

refresh_response_ticket_id_key = number
* After extracting the JSON blob we are interested in, which looks like the following:
     {
       ...
       "number": "INC0047495",
       "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234"
     }
  ... 'number' is the value we are interested in.

refresh_response_ticket_url_key = url
* After extracting the JSON blob we are interested in, which looks like the following:
     {
       ...
       "number": "INC0047495",
       "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234"
     }
  ... 'url' is the value we are interested in.
Last modified on 14 April, 2020
PREVIOUS
mad.conf 		  NEXT
notable_event_commonality.conf

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters