Multiple-record, custom field Splunk alerts

Multi-record alerts (defined using the Create Multiple ServiceNow Security Incidents and Create Multiple ServiceNow Security Events trigger actions) can automatically create records with any set of fields supported.

These act differently from the other alert actions in that default values are provided. However, most of the data comes from the search result for that alert.

Note: In previous versions of the add-on and this documentation, scripted alerts were supported. That feature has been deprecated and replaced by these instructions.