Updating ServiceNow ticket using Splunk SOAR - problem with list field
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2024 07:20 AM - edited 04-02-2024 09:02 AM
I am trying to update an incident ticket automatically. One of the fields (u_vendor) is a list, not a simple string value, and it's not updating properly. This is the json that I am sending:
{"state":"-5","u_on_hold_type":"awaiting_vendor","u_vendor":{"link":"https://company.service-now.com/api/now/table/core_company/64768bdb1ba8f010e397dbd9dc4bcb8b","value":"64768bdb1ba8f010e397dbd9dc4bcb8b"},"u_vendor_ticket_number":"."}
The values I use for u_vendor.link and u_vendor.value are taken from existing tickets that had the fields filled out manually. But after I run the playbook, the u_vendor field remains blank while the other fields are correctly updated. When I check the ticket json, this is what it says:
"u_vendor": {"link": "https://company.service-now.com/api/now/table/core_company/{link=https://company.service-now", "value": "{link=https://company.service-now"}
I'm not sure how to update that field. Does anyone have any suggestions? Thanks so much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2024 06:18 AM
Just in case anyone stumbles across this with the same problem, I found a solution. I was making things more complicated than I needed to. I didn't need to try and send "link" and "value" fields, I only needed to use the sys_id value directly. So, instead of sending the json string that I wrote above, I only needed to send this:
{"state":"-5","u_on_hold_type":"awaiting_vendor","u_vendor":"64768bdb1ba8f010e397dbd9dc4bcb8b","u_vendor_ticket_number":"."}and it worked fine. I also updated the assigned_to field in the same way. I've heard that you could use the email address in assigned_to instead of the sys_id, but I can't verify that.
