Create Incident from SPLUNK to service now incident table

asoni · ‎09-20-2016

Hi All,

My requirement is integrate service now with SPLUNK tool. I have installed Service-now SPLUNK Addon and App in SPLUNK and also able to generate event and alert.

I checked splunk log and found alert post data to service now by using REST API call https://instancename.service-now.com/api/now/import/sn_si_incident_import.

In service now record is created in stage/source table but there is no import set number and this is the issue. Without any import set i can not move data in target table.

Other thing, is it possible to create incident in incident table from SPLUNK Alert? I have downloaded and commited "Splunk-Servicenow Integration" update set from service now store but REST API in SPLUNK is pointing to "sn_si_incident_import." table.

Your help will be much appreciated..

Thanks, Ajit

camstone · ‎09-23-2016

I see the issue, and I am not able to replicate it in my instance. I used SOAPui to send in a simulated Splunk alert and I received a correct import set listed in my table.

Can you try to manually insert a record in that table by using the New Button? If your manual record does not have an import set number then the integration is not the issue, and I would take a look at any system log entries to see if there is any errors around the import set table.

Have you modified the transform map associated with this table at all? Or are there multiple Transform maps being used?

The only information I could find related to this issue was due to an upgrade and multiple transform maps on one import set table, but the issue was resolved multiple versions ago. This type of issue may warrant a HI support ticket since it seems to not be functioning as expected.

asoni · ‎09-27-2016

Thanks Cameron for your input. I am able to generate import set number after granting import_admin, import_set_loader and import_transformer role to user which i am using for integration. And i can see this is creating security incident.

Is there anyway to create incident directly in incident table from SPLUNK alert? I have configured required customization in service now as well as in SPLUNK side and trying to create incident, but there is no luck.

Please help here. Your kind help will be appreciated.

Thanks, Ajit

camstone · ‎09-27-2016

Ajit,

If you would like to create an Incident instead of a Security Incident, you will need to create a new import set table ( Inbound Web Service -> Create new), the destination table needs to be Incident, and you can check the box that states "Copy all fields from Destination table". This will build a new import set table and a transform map to the incident table.

Once you have the new web service built you can access it via:

https://instance.service-now.com/api/now/import/<your_new_importset_table>

From there you will need to update Splunk to point at the new endpoint you defined above and it should map through.

Alternatively: you might be able to adjust the transform map for "sn_si_incident_import" to point the destination at the incident table instead of the security incident table, but I have not had a chance to look into this yet.

asoni · ‎09-28-2016

Thanks Cameron, for your guideline.

I do have import set table(u_splunk_inciden) that's included in update set(Splunk-ServiceNow Intgration) which i downloaded from service-now store.

How can i update Splunk to point to new endpoint? I tried in Splunk but not found anyplace to update the end point.

Regards, Ajit

camstone · ‎10-04-2016

Ajit,

I was just reviewing our documentation on the integration and it apparently does not allow you to change the endpoint URL. I will have to load up a copy of Splunk on my VM and see if there is a simple way.

One quick way to alter the destination is to update the target table in the transform map to point at the Incident table instead of security incident, but you would have to re map a lot of the Transform map fields to make this happen.