icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading SNOW Table for Splunk
SHA256 checksum (snow-table-for-splunk_101.tgz) ee7d72588b31e01798d45a85c5a51af38f9705ea8af4ad88695ae28de3a77b9f SHA256 checksum (snow-table-for-splunk_002.tgz) 8ce6370a31795f72cf4e7612dd06eae688c5e90b098654ad58238fe97b3e5d07
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

SNOW Table for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The SNOW Table for Splunk application provides an alert action and custom REST API endpoints to perform automated and/or adhoc action(s) on a ServiceNow environment via the ServiceNow Table API. The intent of this app is not to be a replacement for Splunk supported app(s) for ServiceNow. However unlike some other Splunk apps for ServiceNow, no ServiceNow app is required to be installed within your ServiceNow environment since this app uses the ServiceNow Table API for connection to ServiceNow. For another comparison, the acquired Splunk SOAR product (i.e. Phantom) uses the ServiceNow Table API for its connection to ServiceNow.

SNOW Table for Splunk

About

The SNOW Table for Splunk application provides an alert action and custom REST API endpoints to perform automated and/or adhoc action(s) on a ServiceNow environment via the ServiceNow Table API. The intent of this app is not to be a replacement for Splunk supported app(s) for ServiceNow. However unlike some other Splunk apps for ServiceNow, no ServiceNow app is required to be installed within your ServiceNow environment since this app uses the ServiceNow Table API for connection to ServiceNow. For another comparison, the acquired Splunk SOAR product (i.e. Phantom) uses the ServiceNow Table API for its connection to ServiceNow.

Dependencies

  • The SNOW Table for Splunk application was developed on a Linux OS VM (CentOS) with a Splunk Dev environment. Due to limited resources, limited development/testing was done against the Splunk Windows OS environment.

  • The Splunk Python SDK libraries provide intergration to the Splunk environment for the job engine (reference the $SPLUNK_HOME/etc/apps/snowtbl/bin/splunklib and $SPLUNK_HOME/etc/apps/snowtbl/bin/utils folders).

  • The Bootstrap (JS and CSS files) and Splunk Javascript SDK libraries help to provide front-end (UI) components (reference the $SPLUNK_HOME/etc/apps/snowtbl/appserver/static folder).

  • A ServiceNow (New York version) Developer instance was used for developing/testing of this app. Contact your ServiceNow Administrator to provide ServiceNow credentials with the proper role(s) for accessing the ServiceNow Table API and ServiceNow tables.

  • The app was developed using the Chrome web browser. No development/testing was done with other web browsers.

Usage

Search

The Search dashboard is the default search dashboard for Splunk.

Configuration

The Configuration dashboard provides an user interface (UI) to enter a ServiceNow url, ServiceNow user credentials, ServiceNow timeout, and proxy info.

Alert Incident Count

The Alert Incident Count dashboard provides summary and event data for ServiceNow incidents created by the Create ServiceNow Incident Ticket Alert Action.

Help

The Help dashboard displays this info.

Create ServiceNow Incident Ticket Alert Action Configuration

The purpose of the Create ServiceNow Incident Ticket Alert Action is to provide an alert action to create a ServiceNow incident ticket. The screenshot of this alert action below requires the user to provide values for 10 fields. Even though a well-formed search, schedule, and trigger conditions for an alert can prevent nuisance alerts, it is suggested that some level of throttling may be useful to prevent multiple ticket creation for the same issue. ServiceNow customers have different meanings for these fields; so it suggested that you request info on the valid values for the values from your ServiceNow team and /or rep. It should be noted that the fields for this alert action can by customized by modifying the pfields key/value pair of the ct_incident stanza in the snowtbl_endpoint.conf file and modifying the snowtbl_alert_ct_incident.html file to contain your custom fields. Per Splunk's documentation/recommendations, all changes should be in the local folder and restart of Splunk is required to enable changes.

Alt text

Create ServiceNow Ticket Alert Action Configuration

The purpose of the Create ServiceNow Ticket Alert Action is to provide an alert action to create a record/ticket in any ServiceNow table available via the ServiceNow Table API. The screenshot of this alert action below requires the user to provide values for 4 fields.

  1. Table - the ServiceNow table name to create record.

  2. Short Description - text string value for the short_description parameter of the ServiceNow table.

  3. Description - text string value for the description parameter of the ServiceNow table.

  4. Fields - JSON of key/value pairs of additional fields/values of the ServiceNow table.

Alt text

Create a custom ServiceNow Alert Action

The following steps are an overview of creating a custom ServiceNow Alert Action for the SNOW Table for Splunk app. Per Splunk's documentation/recommendations, all changes should be in the local folder and restart of Splunk is required to enable changes.

  1. Add a stanza with an unique name to the snowtbl_endpoint.conf file using one of the existing stanzas as a guide. The snowtbl_endpoint.conf.spec file in the README folder gives a description of the key/value pairs.

  2. Add a stanza with an unique name to the alert_actions.conf. The alert.execute.cmd.arg.1 value should equal the stanza name created in Step 1.

  3. Create a html file named the alert_actions.conf stanza name created in Step 2 with a html filename extension.

Splunk search command - rest

The Splunk rest search command can be used to call the 2 custom REST API endpoints included with this app named snowtbl_rest_run_query and snowtbl_rest_create_ticket.

SNOW Table for Splunk Run Query REST API Endpoint

The following SNOW Table for Splunk app and ServiceNow Table API parameters are supported by the snowtbl_rest_run_query endpoint. It is worth mentioning multiple times, the SNOW Table for Splunk app uses the ServiceNow Table API for its connection to ServiceNow. If you have used the ServiceNow REST API Explorer UI in the past, the parameters should be familiar to you. If not, ServiceNow provides documentation for the Table API on their website which provides more details on the Table API parameters.

snowtbl_table - the table name for the query that is appended to the ServiceNow url to access the Table API

sysparm_query - Encoded query used to filter the result set (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

sysparm_fields - Comma-separated field names to return in the response (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

sysparm_display_value - data retrieval operation for reference and choice fields (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

sysparm_limit - Limit to be applied on pagination (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

The following screenshot is a simple example to query a ServiceNow table (e.g. incident) using the snowtbl_rest_run_query endpoint. The rest search command returns the query results in JSON format in a Splunk Statistics field named value.

| rest /services/snowtbl_rest_run_query
snowtbl_table="incident"
sysparm_limit="1"

Alt text

The following screenshot is a simple example using the sysparm_query field (filter) to query a ServiceNow table (e.g. incident) using the snowtbl_rest_run_query endpoint.

| rest /services/snowtbl_rest_run_query
snowtbl_table="incident"
sysparm_query="number=INC0000003"
sysparm_fields="number,caller_id.user_name"

Alt text

The following screenshot is a more advanced example to query a ServiceNow table (e.g. incident) using the snowtbl_rest_run_query endpoint. The spath and mvexpand search commands return the query results in a Splunk Statistics table.

| rest /services/snowtbl_rest_run_query
snowtbl_table="incident"
sysparm_fields="number,caller_id.user_name"
sysparm_limit="3" sysparm_display_value="true"
| spath input=value output=extracted_result path=result{}
| spath input=value output=extracted_error path=error
| eval rest_result=if(extracted_error!="", extracted_error, extracted_result)
| mvexpand rest_result
| spath input=rest_result
| fields - value, records, splunk_server, extracted_result, extracted_error, rest_result

Alt text

SNOW Table for Splunk Create Ticket REST API Endpoint

The following SNOW Table for Splunk app and ServiceNow Table API parameters are supported by the snowtbl_rest_create_ticket endpoint. It is worth mentioning multiple times, the SNOW Table for Splunk app uses the ServiceNow Table API for its connection to ServiceNow. If you have used the ServiceNow REST API Explorer UI in the past, the parameters should be familiar to you. If not, ServiceNow provides documentation for the Table API on their website which provides more details on the Table API parameters.

snowtbl_table - the table name for the query that is appended to the ServiceNow url to access the Table API

short_description - appended as a key/value pair to the fields parameter value for the short_description field

description - appended as a key/value pair to the fields parameter value for the description field

snowtbl_fields - key/value pairs in JSON format of the ticket/record fields to be be created/inserted into the table via HTTP POST arguments

sysparm_fields - Comma-separated field names to return in the response (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

sysparm_display_value - data insert or update operations (ServiceNow Table API parameter - see ServiceNow Table API documentation for more info)

The following screenshot is an example to create a record in a ServiceNow table (e.g. incident) using the snowtbl_rest_create_ticket endpoint.

| rest /services/snowtbl_rest_create_ticket
sysparm_fields="number"
snowtbl_table="incident" short_description="short description value" description="long description value" snowtbl_fields="{\"caller_id\":\"System Administrator\"}"

Alt text

Application Data Flow and Main Execution Path

The 2 diagrams below show the data flow and main execution path.

Alt text

Alt text

Security

  • The ServiceNow credentials for this app are stored using Splunk's REST API Access endpoints similar to Splunk supported apps.

  • The app's custom REST API endpoints (snowtbl_rest_run_query and snowtbl_rest_create_ticket) are secured with the snowtbl_read_endpoint and snowtbl_write_endpoint capabilities to the admin role. The list_storage_passwords capability is needed to get the ServiceNow credentials to use the snowtbl_rest_run_query and snowtbl_rest_create_ticket endpoints (see Limitations and/or Known Issues below).

  • While it is not suggested due to a security concern(s), Splunk users without the admin role can be granted permissions to the snowtbl_rest_run_query and snowtbl_rest_create_ticket endpoints and the Create ServiceNow Ticket Alert Action by granting the user the list_storage_passwords, snowtbl_read_endpoint, and snowtbl_write_endpoint capabilities, and changing the permissions for the Create ServiceNow Ticket Alert Action. A primary security concern is that the list_storage_passwords capability is an ALL or NONE view access to credentials managed by Splunk's REST API Access endpoints (see Limitations and/or Known Issues below).

  • The data input validation for the app is to help guard against malicious and/or unintended uses. If your use case(s) requires data input that is blocked by the data input validation, the conf files may have a setting that can be modified to allow it. If not, you are welcome to suggest a new feature.

  • Like any app, the level of security has a dependence on the environment used to host the app. So, it is suggested that the dependenices (see above) be updated periodically with their respective security patches/fixes.

  • If you have suggestions to improve the security of the app, please contact support.

Application Performance

As of version 0.0.1 using a Splunk VM on a laptop, the app has successfully executed several alert actions to create tickets with ServiceNow. As resources become available, more info on performance is expected. It should be noted that only Python libraries included with Splunk (and the Splunk Python SDK) are used for the app's custom REST API endpoints and alert action(s). Please let me know your feedback on the performance of the application.

Limitations and/or Known Issues

  • Splunk has 2 capabilities (list_storage_passwords and admin_all_objects) that behave globally for securing access to 3rd party (e.g. ServiceNow Table API) user credentials managed by the the Splunk REST API Access endpoints. An Splunk user account has access to view ALL or NONE of the credentials managed by the Splunk REST API Access endpoints depending on the user account having the list_storage_passwords capability or not. Similarly, the admin_all_objects capability manages the access to create, update, or delete ALL (or NONE) of the credentials managed by the Splunk REST API Access endpoints. A possible future change for the app may be to use some other library to manage the ServiceNow Table API credentials due to these limitations of granting more granular access to credentials managed by the Splunk REST API Access endpoints.

  • The Splunk rest search command appears to give limited info for HTTP status error codes. To provide more useful info to the user for a failed rest command to the SNOW Table Custom REST API endpoints, SNOW Table app and ServiceNow Table API errors are returned with a HTTP status 200 with the error data in the value field (i.e. HTTP response payload). The ServiceNow Table API error JSON format is mimicked for SNOW Table app error data to provide a common format. As an example, the error in the screenshot below was due to the SNOW Table configured proxy being down. The HTTP status returned by the snowtbl_rest_run_query endpoint has to be 200 for the HTTP response payload with error data to be in the value field. The example error in the screenshot below was created by shutting down the configured ServiceNow proxy and executing the snowtbl_rest_run_query endpoint.

Alt text

Support/Suggestions

Contact the developer

Release Notes

Version 1.0.1
Dec. 18, 2019

- Added Create ServiceNow Incident Ticket Alert Action with more user friendly fields and ability for user to customize ServiceNow fields of alert action
- Added ServiceNow timeout & test connectivity button to Configuration dashboard
- Changed app objects from app context to system context to allow other apps to use alert actions
- Added Alert Incident Count dashboard with statistics of Create ServiceNow Incident Ticket Alert Action executions
- Improved error handling for ServiceNow returning HTML response (i.e. occurs when ServiceNow instance in hibernation) instead of JSON response

Version 0.0.2
Dec. 12, 2019

- Fixed issue with server side Python script(s) experiencing error reading data managed by the Configuration dashboard.
- Fixed issue with Windows Python logger library adding escape character to log file path.

15
Installs
62
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.