Edit the display values for the ServiceNow API

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through display_value=false (extractions and Common Information Model (CIM) mappings) configurations. The best practice is to set display_value to all.

Edit the display values for the ServiceNow API. The best practice is to set display_value to all, as it provides better performance. If you need to revert to the previous behavior of collecting the display values using lookups, and not directly from the API (setting the display_value to false), perform the following steps:

1. Enable the saved searches to generate the mapping lookups.

2. On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf.

3. Copy the snow_default stanza from default/service_now.conf and add it to local/service_now.conf if it does not already exist.

4. In the snow_default stanza in local/service_now.conf change the display_value=all parameter to display_value=false.

5. Save the file.

6. Open or create a local/props.conf file.

   • If you use a single search head, open or create the file in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf.
   • If you use a search head cluster, create the props.conf file in the configuration bundle on the deployer: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_snow/local/props.conf.

7. Follow the instructions provided in the default props.conf file under each affected stanza to create a set of FIELDALIAS statements, and then blank out a corresponding set of LOOKUP statements.

   For example:

   [snow:incident]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-location = cmn_location_list_lookup sys_id AS location OUTPUTNEW latitude, longitude, full_name AS location_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW user_name AS assignment_user_username, name AS assignment_user_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS caller_id OUTPUTNEW user_name AS user, name AS name
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-incident_state_name =
   FIELDALIAS-affect_dest =
   FIELDALIAS-assignment_user_name =
   FIELDALIAS-name =
   
   [snow:change_request]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-user =
   FIELDALIAS-affect_dest =
   FIELDALIAS-change_state_name =
   
   [snow:change_task]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-user =
   FIELDALIAS-affect_dest =
   FIELDALIAS-change_state_name =
   
   [snow:problem]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS name, user_name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-problem_state = problem_state_lookup problem_state OUTPUTNEW problem_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-name =
   FIELDALIAS-affect_dest =
   FIELDALIAS-problem_state_name =
   
   [snow:em_event]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-severity_name = severity_lookup severity AS severity OUTPUTNEW severity_name AS severity_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-severity_name = " without quotes
   FIELDALIAS-severity_name =
   

8. Save the file.

9. If you are running a search head cluster, push the configuration bundle to the cluster members by running the following command on the deployer: splunk apply shcluster-bundle. This restarts the search-head cluster members, if needed. If you are running a single search head, restart it manually.

10. Restart your data collection node.