- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 05:08 AM - edited 04-08-2025 05:12 AM
Hi everyone. We use Splunk to create incident tickets in ServiceNow, and SOAR to automatically enrich the tickets with worknotes. In certain circumstances, we use an existing Correlation ID value in Splunk so that an older ticket is updated with new information, instead of creating a new ticket.
When Splunk updates a ticket, sometimes it will change the state to New (for example, if a ticket has already been resolved). When the SOAR automation runs on a ticket like this, I need to to figure out whether the ticket is completely New, or whether it has already been resolved and is now New again.
Is there a way to get the ticket history? Or maybe get information from the Metrics table that I see at the bottom of the ticket? The metrics table seems to keep track of all the changes to the ticket, and if I could pull that info from an API endpoint I'm sure I could parse through it to get what I need.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 05:19 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 05:19 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 05:22 AM
Thank you! I've searched through the forum a number of times, but somehow I never saw that thread. It looks like just what I need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2025 05:23 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2025 06:23 AM
Follow-up question. I'm able to pull the information that I need from the sys_history_line table. The problem is that if no one has looked at the ticket yet, the history set will not have been created. The automation writes worknotes, but those don't seem to trigger a history set generation - only if someone views/updates the ticket in the ServiceNow portal.
Is there a way to programmatically force a history set generation? Something I could run first, wait 5 minutes, and then query to get the history?
