Lookups for the Splunk Add-on for ServiceNow¶
The Splunk Add-on for ServiceNow has the following
lookups
in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/lookups. Some of these are
included for integration and backwards compatibility with other
applications, and are not used as lookups for the add-on itself.
As dynamic CSV lookups are migrated to KV Store lookups, those lookups won’t have filename associated with them.
| Filename/KV Store | Purpose | Replication Enabled on Indexer |
|---|---|---|
snow_change_states.csv |
Maps state to a human-readable string. Note: This lookup is deprecated as it is used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_cmdb_ci_app_server_lookup |
This lookup depends on the ServiceNow CMDB CI App Servers saved search included with the add-on. | No |
snow_cmdb_ci_db_instance_lookup |
This lookup depends on the ServiceNow CMDB CI DB Instances saved search included with the add-on. | No |
snow_cmdb_ci_infra_service_lookup |
This lookup depends on the ServiceNow CMDB CI Infra Services saved search included with the add-on. | No |
snow_cmdb_ci_list_lookup |
Looks up the cmdb_ci sys_id in incident events to populate affect_dest. This lookup depends on the ServiceNow CMDB CI List saved search included with the add-on. Note: This lookup and associated saved search is deprecated as it is used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_cmdb_ci_server_lookup |
This lookup depends on the ServiceNow CMDB CI Server saved search included with the add-on. | No |
snow_cmdb_ci_service_lookup |
This lookup depends on the ServiceNow CMDB CI Services saved search included with the add-on. | No |
snow_cmdb_ci_vm_lookup |
This lookup depends on the ServiceNow CMDB CI VM saved search included with the add-on. | No |
snow_cmdb_rel_ci_lookup |
This lookup depends on the ServiceNow CMDB CI Relation saved search included with the add-on. | No |
snow_cmn_location_list_lookup |
Obtains detailed latitude and longitude information from the location field. This lookup depends on the ServiceNow CNM Location List saved search included with the add-on. |
Yes |
snow_incident_state_lookup |
Maps a numerical incident state value to a human-readable string. Note: This lookup and associated saved search is deprecated as it is being used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_problem_states.csv |
Maps a numerical problem state number to a human-readable string. Note: This lookup is deprecated as it is used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_severities.csv |
Maps a numerical severity value to a human-readable string. Note: This lookup is deprecated as it is used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_sys_choice_list_lookup |
Contains possible choices for database table columns. This lookup depends on the ServiceNow Sys Choice List saved search included with the add-on. | No |
snow_sys_user_group_list_lookup |
Maps user group IDs to user group names in incident, event, change, or problem events. This lookup depends on the ServiceNow Sys User Group List saved search included with the add-on. Note: This lookup and associated saved search is deprecated as it is used with display_value=false, which is deprecated as part of version 6.3.0. |
No |
snow_sys_user_list_lookup |
Maps user IDs to user names in incident, event, change, or problem events. This lookup depends on the ServiceNow Sys User List saved search included with the add-on. | Yes |
How to Use Lookups in a Clustered Environment or in Splunk Cloud¶
From version 9.2.0 of the Splunk Add-on for ServiceNow, we have set replication to false for all lookups except snow_sys_user_list_lookup and snow_cmn_location_list_lookup (as these two lookups are used in extractions). This change was made because, in a search head cluster or Splunk Cloud, these lookups were increasing the size of the search head bundle, which caused replication to stop and prevented it from working properly. Therefore, replication has been set to false for lookups that are not used in any extractions by the TA. If you want to use any other lookup, you can use the Splunk-managed app Splunk App for Lookup File Editing to edit the replication setting for the lookup. If you face any issues, you can also reach out to Splunk Support for further guidance.
Note
In the Splunk App for Lookup File Editing, a lookup can be found by its collection name. To find the collection name, go to:
1. In Splunk Web, go to Settings → Lookups → Lookup definitions
2. Locate the desired lookup by its name (see the table on this page).
3. Select the lookup name to open the edit window, where you see the Collection Name.