Create Incident from SPLUNK to service now incident table

asoni · ‎09-20-2016

Hi All,

My requirement is integrate service now with SPLUNK tool. I have installed Service-now SPLUNK Addon and App in SPLUNK and also able to generate event and alert.

I checked splunk log and found alert post data to service now by using REST API call https://instancename.service-now.com/api/now/import/sn_si_incident_import.

In service now record is created in stage/source table but there is no import set number and this is the issue. Without any import set i can not move data in target table.

Other thing, is it possible to create incident in incident table from SPLUNK Alert? I have downloaded and commited "Splunk-Servicenow Integration" update set from service now store but REST API in SPLUNK is pointing to "sn_si_incident_import." table.

Your help will be much appreciated..

Thanks, Ajit

tomoneil · ‎09-20-2016

Ajit,

Your import into the SI Incident table should go through the import table if possible in case you want to do any transforms, but does not have to happen this way. Once the records are put into the import table, the import will automatically happen. You could modify the Splunk integration to change the table it imports into, but I highly suggest you do not do this as it will cause issues when they have an update, etc. Hope this helps.

Tom

asoni · ‎09-20-2016

Thanks Tom for your quick reply...

"sn_si_incident_import" is the import set table and target table for this is "sn_si_incident".

Here i have attached screenshot of issue. Please see portion under red rectangle, there should be import set number present but in my case it is empty.

OR if i need to change table in SPLUNK, how can i achieve this functionality?

camstone · ‎09-23-2016

Ajit,

I do not see a screenshot attached to your post, but I will try to see if I can help you. If you navigate directly to the table by typing "sn_si_incident_import.list" in your navigation search bar, do you see any records in this table? If you do see a record in this table, then splunk is committing transactions , and you will need to look at the transform history to see if it was skipped or ignored. If there are no records in the import table, then you will want to turn on web service debugging (via system property) and take a look at the system logs to see the inbound payload and ensure that the web service is actually hitting the system. If you can provide me more detail about what you are seeing in the import table I can try to further help you.

asoni · ‎09-23-2016

Please see attached screenshot..