Copyright (C) 2006-2015 Zillow Group, Inc. All Rights Reserved.
Getsnow is a collection of Splunk Search command that uses the snow (sevicenow) api to retrieves raw json data. This app differs from the Splunk Add-on for Service Now by allowing users to query any table, prebuilt or custom, by using filters. Multiple environments may include poc, dev, or prod can access by creating additional stanza and adding the argument 'env='. To convert sys_id to correct values this app depends on the lookups from [Splunk_TA_snow]. Additionally this command can also be used to update lookup tables used.
click here for [Service Now Table API documentation]
Get Service now is a Splunk Search command that uses the snow api and retrieves raw json data.
##Supports:
- Supports multiple Service Now Instances
##Deprecated
- proxy support
-
This version has been test on 6.x and should work on 5.x.
-
App is known to work on Linux,and Mac OS X, but has not been tested on other operating systems. Window should work
-
App requires network access to Service Now instance
-
Minimum of 2 GB RAM and 1.8 GHz CPU.
-
Service Now EUREKA or Higher
-
Splunk version 6.x or Higher
-
[Splunk_TA_snow] 2.8.0
You can download it [Splunk][splunk-download]. And see the [Splunk documentation][] for instructions on installing and more. [Splunk]:http://www.splunk.com [Splunk documentation]:http://docs.splunk.com/Documentation/Splunk/latest/User [splunk-download]:http://www.splunk.com/download [Splunk_TA_snow]:https://splunkbase.splunk.com/app/1928/
-
copy repo into $SPLUNK_HOME/etc/apps/.
-
create $SPLUNK_HOME/etc/apps/getsnow/local/getsnow.conf.
-
configure [production] stanza with url to Service Now instance. Note: if proxy look at README for proxy config.
-
in stanza update value_replacements with keys and values you would like to update from sys_id.
Note: The Service Now user that is defined in each stanza requires read permission to incidents table at minimum. If you plan on using the table argument you must also grant the user read permission to those tables. consult with our ServiceNow Admin.
-
Login to service now.
-
Browse System Definition Tab
-
Click Tables & Columns
-
Find the table of interest under the Tables Names section. Note: items within brackets are the real name of the table.
snowincident retrieve incidents records.
*user_name - User to filter by *assignment_group - filter by assignment_group *filterBy - field to filter user_name by. Valid fields assigned_to, sys_updated_by, opened_by, u_opened_for, resolved_by *daysAgo - How many days ago from now to retrieve incidents *daysBy - field to apply daysAgo. Valid fields closed_at, resolved_at, opened_at, sys_updated_on, sys_created_on *active - Boolean True/False. If record is active. Default None which will pull both *limit - Maximium number of records in batches of 10,000 *env - Environment to query. Environment must be in conf. Default production.
General query tool which allows users to query any table.
*table - sets which table to query. Default incident table. *filters - list of key values where key and value are present. If no filters specified returns 1 even. Example filters="active=true,sys_created_by=rick,severity=3" *limit - Maximium number of records in batches of 10,000 *daysAgo - How many days ago from now to retrieve records *env - Environment to query. Environment must be in conf. Default production.
Note: To use this command use Browse System Definition Tab in Service Now
Retrieves outages
*daysAgo - How many days ago from now to retrieve records *env - Environment to query. Environment must be in conf. Default production
Pulls tasks for users
*user_name - User to filter by *assignment_group - filter by assignment_group *daysAgo - How many days ago from now to retrieve records *active - Boolean True/False. If record is active. Default None which will pull both *limit - Maximium number of records in batches of 10,000 *env - Environment to query. Environment must be in conf. Default production.
Retreives user record, assigned assets, and opened tickets
*user_name - User to filter by *daysAgo - How many days ago from now to retrieve records *env - Environment to query. Environment must be in conf. Default production.
It is recommend that this be installed on an Search head.