- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2025 04:34 AM - edited 03-25-2025 01:49 AM
We use Splunk SOAR to automate tasks for our Security Operations team. One of the integrations I'm working on is having SOAR run a query in ServiceNow via it's REST API endpoints to retrieve information about tickets.
I'm currently running a sysparm_query API call using IR_AND_OR_QUERY along with a space-separated list of keywords:
https://instance.servicenow.com/api/now/table/incident?sysparm_query=IR_AND_OR_QUERY=10.1.2.3 eviluser^number!=T12345This works well for individual keywords (10.1.2.3 and eviluser, in the example above). The IR_AND_OR_QUERY operator searches through the entire ticket and not just a specific column, and it will return tickets that have both keywords as well as tickets containing only one of the keywords.
Sometimes, though, I need to include a phrase instead of a single word. For example, if I need to check for tickets related to a specifc user and/or their device, I'd need to search for Michael Oswald and XV11230543. I've tried putting quotes (both single and double) around Michael Oswald but it still looks at them as invidiual words and returns a list of any tickets containing Michael:
sysparm_query=IR_AND_OR_QUERY="Michael Oswald" XV11230543I've also tried combining the LIKE operator in various ways, but that doesn't work either
sysparm_query=IR_AND_OR_QUERY=LIKEMichael Oswald
I can sort of do it by dropping IR_AND_OR_QUERY and combining LIKE and ^OR, but then I'm limited to specific fields (afaik):
sysparm_query=short_descriptionLIKEMichael Oswald^ORshort_descriptionLIKEXV11230543but I lose some of the functionality. I like that IR_AND_OR_QUERY looks through the entire ticket, and that it will first return tickets that have all of my keywords/phrases but can also return tickets with each keyword/phrase individually if it can't find the combo.
Is there a way I can do an IR_AND_OR_QUERY call on a set of keywords and phrases?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2025 05:31 AM - edited 03-25-2025 05:32 AM
Actually I take it all back - quotation marks do work! There was a problem with my initial testing queries - once I fixed those up, I realised that putting quotation marks around a set of keywords will force ServiceNow to treat them as a phrase and only return the results that contain all of the words. So this works correctly:
sysparm_query=IR_AND_OR_QUERY="Michael Oswald" XV11230543Only tickets with "Michael Oswald" and/or XV11230543 are returned.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2025 06:19 AM
Hi @MichaelO1327827 ,
Sharing with you how Script Includes work in ServiceNow. This lesson will help you build a deeper understanding of how to use Script Includes effectively with object-oriented programming principles. You'll gain full control over the parameters you pass in and the data you return—giving you the confidence and maturity to write clean, reusable, and scalable code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2025 08:00 AM - edited 03-25-2025 02:57 AM
Thanks but this doesn't help at all. It's not about API calls, sysparm_query cmds or IR_AND_OR_QUERY .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2025 04:59 PM
can you elaborate with screenshots please what you meant?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2025 01:50 AM
Sorry, I should've put more details into the original post. I've updated it now. Thanks for looking.
