# This is an example notable_event_actions.conf. Use this file to configure # episode actions. # # To use one or more of these configurations, copy the configuration block # into notable_event_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles # # This example alert includes running a script, sending an email, and # creating an incident in ServiceNow. [email] disabled = 0 [script] disabled = 0 [snow_incident] disabled = 0 type = external_ticket execute_in_sync = 1 execute_once_per_group = 1 ticket_system_name = ServiceNow relative_refresh_uri = /servicesNS/nobody/-/service_now_incident/snow_incident correlation_key = correlation_id * Refresh URI now becomes /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id correlation_value = $result.event_id$ * Assuming we are dealing with an event whose event_id is 'myevent1234', the URI now becomes: /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234 * Final URI with output_mode: /servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234&output_mode=json * If there is no 'correlation_key' specified, the final URI looks like: /servicesNS/nobody/-/service_now_incident/snow_incident/myevent1234?output_mode=json correlation_value_for_group = $result.itsi_group_id$ * When operating on an episode, we will use the value corresponding to 'itsi_group_id' as the correlation_id. Similar to correlation_value mentioned above. refresh_response_json_path = entry{0}.content * Assuming the JSON response looks like the following: { ... "entry": [ { ... "content": { "number": "INC0047495", "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234", ... } } ], ... } ... the path value is indicative of how to extract the ticket_id and ticket_url. refresh_response_ticket_id_key = number * After extracting the JSON blob we are interested in, which looks like the following: { ... "number": "INC0047495", "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234" } ... 'number' is the value we are interested in. refresh_response_ticket_url_key = url * After extracting the JSON blob we are interested in, which looks like the following: { ... "number": "INC0047495", "url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234" } ... 'url' is the value we are interested in. [remedy_incident] disabled = 0 type = external_ticket execute_in_sync = 1 execute_once_per_group = 1 ticket_system_name = Remedy relative_refresh_uri = /servicesNS/nobody/-/remedy_incident/remedy_incident correlation_key = correlation_id * Refresh URI now becomes /servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id correlation_value = $result.event_id$ * Assuming we are dealing with an event whose event_id is 'myevent1234', the URI now becomes: /servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id=myevent1234 * Final URI with output_mode: /servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id=myevent1234&output_mode=json * If there is no 'correlation_key' specified, the final URI looks like: /servicesNS/nobody/-/remedy_incident/remedy_incident/myevent1234?output_mode=json correlation_value_for_group = $result.itsi_group_id$ * When operating on an episode, we will use the value corresponding to 'itsi_group_id' as the correlation_id. Similar to correlation_value mentioned above. refresh_response_json_path = entry{0}.content * Assuming the JSON response looks like the following: { ... "entry": [ { ... "content": { "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" ... } } ], ... } ... the path value is indicative of how to extract the ticket_id and ticket_url. refresh_response_ticket_id_key = number * After extracting the JSON blob we are interested in, which looks like the following: { ... "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" } ... 'incident_number_list' is the value we are interested in. refresh_response_ticket_url_key = url * After extracting the JSON blob we are interested in, which looks like the following: { ... "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" } ... 'incident_url_list' is the value we are interested in. [remedy_incident_rest] disabled = 0 type = external_ticket execute_in_sync = 1 execute_once_per_group = 1 ticket_system_name = Remedy relative_refresh_uri = /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest correlation_key = correlation_id * Refresh URI now becomes /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id correlation_value = $result.event_id$ * Assuming we are dealing with an event whose event_id is 'myevent1234', the URI now becomes: /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id=myevent1234 * Final URI with output_mode: /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id=myevent1234&output_mode=json * If there is no 'correlation_key' specified, the final URI looks like: /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest/myevent1234?output_mode=json correlation_value_for_group = $result.itsi_group_id$ * When operating on an episode, we will use the value corresponding to 'itsi_group_id' as the correlation_id. Similar to correlation_value mentioned above. refresh_response_json_path = entry{0}.content * Assuming the JSON response looks like the following: { ... "entry": [ { ... "content": { "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" ... } } ], ... } ... the path value is indicative of how to extract the ticket_id and ticket_url. refresh_response_ticket_id_key = number * After extracting the JSON blob we are interested in, which looks like the following: { ... "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" } ... 'incident_number_list' is the value we are interested in. refresh_response_ticket_url_key = url * After extracting the JSON blob we are interested in, which looks like the following: { ... "incident_number_list": "INC000000069368", "incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\"" } ... 'incident_url_list' is the value we are interested in.