You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
206 lines
8.3 KiB
206 lines
8.3 KiB
# This is an example notable_event_actions.conf. Use this file to configure
|
|
# episode actions.
|
|
#
|
|
# To use one or more of these configurations, copy the configuration block
|
|
# into notable_event_actions.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.
|
|
# You must restart Splunk to enable configurations.
|
|
#
|
|
# To learn more about configuration files (including precedence) please see
|
|
# the documentation located at
|
|
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
|
|
#
|
|
# This example alert includes running a script, sending an email, and
|
|
# creating an incident in ServiceNow.
|
|
|
|
[email]
|
|
disabled = 0
|
|
|
|
[script]
|
|
disabled = 0
|
|
|
|
[snow_incident]
|
|
disabled = 0
|
|
type = external_ticket
|
|
execute_in_sync = 1
|
|
execute_once_per_group = 1
|
|
|
|
ticket_system_name = ServiceNow
|
|
relative_refresh_uri = /servicesNS/nobody/-/service_now_incident/snow_incident
|
|
|
|
correlation_key = correlation_id
|
|
* Refresh URI now becomes
|
|
/servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id
|
|
|
|
correlation_value = $result.event_id$
|
|
* Assuming we are dealing with an event whose event_id is 'myevent1234',
|
|
the URI now becomes:
|
|
/servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234
|
|
* Final URI with output_mode:
|
|
/servicesNS/nobody/-/service_now_incident/snow_incident?correlation_id=myevent1234&output_mode=json
|
|
* If there is no 'correlation_key' specified, the final URI looks like:
|
|
/servicesNS/nobody/-/service_now_incident/snow_incident/myevent1234?output_mode=json
|
|
|
|
correlation_value_for_group = $result.itsi_group_id$
|
|
* When operating on an episode, we will use the value corresponding to 'itsi_group_id'
|
|
as the correlation_id. Similar to correlation_value mentioned above.
|
|
|
|
refresh_response_json_path = entry{0}.content
|
|
* Assuming the JSON response looks like the following:
|
|
{
|
|
...
|
|
"entry": [
|
|
{
|
|
...
|
|
"content": {
|
|
"number": "INC0047495",
|
|
"url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234",
|
|
...
|
|
}
|
|
}
|
|
],
|
|
...
|
|
}
|
|
... the path value is indicative of how to extract the ticket_id and ticket_url.
|
|
|
|
refresh_response_ticket_id_key = number
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"number": "INC0047495",
|
|
"url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234"
|
|
}
|
|
... 'number' is the value we are interested in.
|
|
|
|
refresh_response_ticket_url_key = url
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"number": "INC0047495",
|
|
"url": "https://abc.service-now.com/incident.do?sysparm_query=correlation_id=myevent1234"
|
|
}
|
|
... 'url' is the value we are interested in.
|
|
|
|
[remedy_incident]
|
|
disabled = 0
|
|
type = external_ticket
|
|
execute_in_sync = 1
|
|
execute_once_per_group = 1
|
|
|
|
ticket_system_name = Remedy
|
|
relative_refresh_uri = /servicesNS/nobody/-/remedy_incident/remedy_incident
|
|
|
|
correlation_key = correlation_id
|
|
* Refresh URI now becomes
|
|
/servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id
|
|
|
|
correlation_value = $result.event_id$
|
|
* Assuming we are dealing with an event whose event_id is 'myevent1234',
|
|
the URI now becomes:
|
|
/servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id=myevent1234
|
|
* Final URI with output_mode:
|
|
/servicesNS/nobody/-/remedy_incident/remedy_incident?correlation_id=myevent1234&output_mode=json
|
|
* If there is no 'correlation_key' specified, the final URI looks like:
|
|
/servicesNS/nobody/-/remedy_incident/remedy_incident/myevent1234?output_mode=json
|
|
|
|
correlation_value_for_group = $result.itsi_group_id$
|
|
* When operating on an episode, we will use the value corresponding to 'itsi_group_id'
|
|
as the correlation_id. Similar to correlation_value mentioned above.
|
|
|
|
refresh_response_json_path = entry{0}.content
|
|
* Assuming the JSON response looks like the following:
|
|
{
|
|
...
|
|
"entry": [
|
|
{
|
|
...
|
|
"content": {
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
...
|
|
}
|
|
}
|
|
],
|
|
...
|
|
}
|
|
... the path value is indicative of how to extract the ticket_id and ticket_url.
|
|
|
|
refresh_response_ticket_id_key = number
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
}
|
|
... 'incident_number_list' is the value we are interested in.
|
|
|
|
refresh_response_ticket_url_key = url
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
}
|
|
... 'incident_url_list' is the value we are interested in.
|
|
|
|
[remedy_incident_rest]
|
|
disabled = 0
|
|
type = external_ticket
|
|
execute_in_sync = 1
|
|
execute_once_per_group = 1
|
|
|
|
ticket_system_name = Remedy
|
|
relative_refresh_uri = /servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest
|
|
|
|
correlation_key = correlation_id
|
|
* Refresh URI now becomes
|
|
/servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id
|
|
|
|
correlation_value = $result.event_id$
|
|
* Assuming we are dealing with an event whose event_id is 'myevent1234',
|
|
the URI now becomes:
|
|
/servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id=myevent1234
|
|
* Final URI with output_mode:
|
|
/servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest?correlation_id=myevent1234&output_mode=json
|
|
* If there is no 'correlation_key' specified, the final URI looks like:
|
|
/servicesNS/nobody/-/remedy_incident_rest/remedy_incident_rest/myevent1234?output_mode=json
|
|
|
|
correlation_value_for_group = $result.itsi_group_id$
|
|
* When operating on an episode, we will use the value corresponding to 'itsi_group_id'
|
|
as the correlation_id. Similar to correlation_value mentioned above.
|
|
|
|
refresh_response_json_path = entry{0}.content
|
|
* Assuming the JSON response looks like the following:
|
|
{
|
|
...
|
|
"entry": [
|
|
{
|
|
...
|
|
"content": {
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
...
|
|
}
|
|
}
|
|
],
|
|
...
|
|
}
|
|
... the path value is indicative of how to extract the ticket_id and ticket_url.
|
|
|
|
refresh_response_ticket_id_key = number
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
}
|
|
... 'incident_number_list' is the value we are interested in.
|
|
|
|
refresh_response_ticket_url_key = url
|
|
* After extracting the JSON blob we are interested in, which looks like the following:
|
|
{
|
|
...
|
|
"incident_number_list": "INC000000069368",
|
|
"incident_url_list": "Remedy_Mid_Tier_URL/arsys/forms/AR_System_Server_Name/SHR:LandingConsole/Default Administrator View/?mode=search&F304255500=HPD:Help Desk&F1000000076=FormOpenNoAppList&F303647600=SearchTicketWithQual&F304255610='1000000161'=\"INC000000069368\""
|
|
}
|
|
... 'incident_url_list' is the value we are interested in.
|