Create a multi-record, custom field Splunk alert

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 1분

    • To create a multiple record Splunk alert with custom fields, you must build a search that is designed to match the ServiceNow columns you want to populate.

    시작하기 전에

    Role required: sn_si.admin

    프로시저

    1. Navigate to Search.
    2. In the Search box, create a search that generates your record data.
      See the examples for recommended search criteria.
    3. Click Save As and select Alert.
    4. Set the name, permissions, and schedule, as needed.
    5. Click Add Actions.
    6. Make one of the following selections.
      • To create one event per result from your search, select Create Multiple ServiceNow Security Events.
      • To create one incident per result from your search, select Create Multiple ServiceNow Security Incidents.
    7. Set any defaults, as needed.
      If the field in the search result is blank or not present, the defaults are used. If there is a value in the result, the defaults are overwritten.