Multiple-record, custom field Splunk alerts

Multi-record alerts (defined using the Create Multiple ServiceNow Security Incidents and Create Multiple ServiceNow Security Events trigger actions) can automatically create records with any set of fields supported.

These act differently from the other alert actions in that default values are provided. However, most of the data comes from the search result for that alert.

Note: In previous versions of the add-on and this documentation, scripted alerts were supported. That feature has been deprecated and replaced by these instructions.

Create a multi-record, custom field Splunk alert

To create a multiple record Splunk alert with custom fields, you must build a search that is designed to match the ServiceNow columns you want to populate.

  1. Navigate to Search.
  2. In the Search box, create a search that generates your record data. See the examples for recommended search criteria.
  3. Click Save As and select Alert.
  4. Set the name, permissions, and schedule, as needed.
  5. Click Add Actions.
  6. Make one of the following selections.
    • To create one event per result from your search, select Create Multiple ServiceNow Security Events.
    • To create one incident per result from your search, select Create Multiple ServiceNow Security Incidents.
  7. Set any defaults, as needed.
    If the field in the search result is blank or not present, the defaults are used. If there is a value in the result, the defaults are overwritten.

Multi-record, custom field Splunk alert examples

When you are creating multiple record Splunk alerts with custom fields, you need to define search criteria for generating alert data. Examples of search criteria for security incidents and security events are shown.

Security incident search

For a security incident, this criteria builds a search to fill in columns in the security incident table.

host=Development source="/CodeArchive/password/password_decrypt.cpp" |
eval contact_type="Monitoring" |
eval cmdb_ci=host |
eval subcategory="Sensitive Data Monitoring" |
eval description=_raw |
eval source_ip=found_ip

Security event search

For a security event, this is the same search, but it populates Event fields instead. If this event is turned into a security incident, and any fields that do not exist in the event are populated, they are transferred to the security incident. Otherwise, they remain in the additional information field of the event and alert.

host=Development source="/CodeArchive/password/password_decrypt.cpp" |
eval type="Monitoring" | 
eval node=host | 
eval source=source
eval subcategory="Sensitive Data Monitoring" | 
eval description=_raw | 
eval source_ip=found_ip 
Note: The search criteria you use will add as many records as are found in the search. It may add 5 or 10,000,000,000 records. So this is NOT a recommended method for the bulk tranfer of data. The intent of this method is to add one record per REST call into the ServiceNow instance.