Skip to content

Use custom streaming commands for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes custom centralized streaming commands that allow you to create and update incidents and create events. These streaming commands are snowincidentstream and snoweventstream.

Before you can use these commands, see configure ServiceNow to integrate with the Splunk platform.

The streaming commands allow you to create or modify incidents and create events in ServiceNow, provided that you include the required arguments:

  • For incidents, these required arguments are:

    • account

  • For events, the required arguments are:

    • account

    • node

    • resource

    • type

    • severity.

See Commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow for a table detailing all the required and supported arguments.

You can use the custom streaming commands to update incidents only if they were created from the Splunk platform.

Searches that use the custom streaming search commands can create multiple events or incidents in ServiceNow. This occurs if the search string that you include before the streaming command returns multiple events. The number of events returned by a search that includes one of these streaming search commands equals the number of incidents or events created in ServiceNow.

To use the custom fields in the snowincident command, you have to pass || separated key-value pairs of custom fields and values as part of --custom_fields argument in the command. All the parameters that are passed in the --custom_fields have to be configured first in the ServiceNow instance. Parameters passed in custom fields must be configured at ServiceNow Incident table, Splunk import set (x_splu2_splunk_ser_u_splunk_incident) table and appropriate transform map in ServiceNow. For example, u_affected_user and u_caller_id must be present in your ServiceNow incident table. It must be present in intermediate Splunk Import Set table (x_splu2_splunk_ser_u_splunk_incident table) and must be mapped in the appropriate transform map.

The following example search creates an incident when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95 | eval contact_type="email"
| eval ci_identifier=host | eval priority="1"
| eval category="Software" | eval subcategory="database"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| eval short_description="CPU on ". host ." is at ". CPU ." which is  \"too\" high."
| eval account="user1"
| snowincidentstream

The following example search closes the above incident for a configured ServiceNow account when CPU usage drops below 15.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU<15 | eval contact_type="email"
| eval ci_identifier=host | eval state="7"
| eval category="Software" | eval subcategory="database"
| eval short_description="CPU on ". host ." is at ". CPU. " which is  \"too\" high."
| eval account="user1"
| snowincidentstream

The following search creates an event in ServiceNow when CPU usage is 95 or higher.

sourcetype="CPURates" earliest=-5m latest=now
| stats avg(CPU) as CPU last(_time) as time by host
| where CPU>=95 | eval account="user" | eval node=host
| eval resource="CPU" | eval type="CPUAlert" | eval severity=2
| eval description="CPU on ". host ." is at ". CPU ." which is  \"too\" high."
| eval ci_identifier="k1=v1||k2=v2"
| eval custom_fields="u_affected_user=nobody||u_caller_id=12345"
| snoweventstream