Create a multi-record, custom field Splunk alert

To create a multiple record Splunk alert with custom fields, you must build a search that is designed to match the ServiceNow columns you want to populate.

  1. Navigate to Search.
    Search & reporting
  2. In the Search box, create a search that generates your record data. See the examples for recommended search criteria.
  3. Click Save As and select Alert.
    Search & reporting, Save As
  4. Set the name, permissions, and schedule, as needed.
  5. Click Add Actions.
    Add actions
  6. Make one of the following selections.
    • To create one event per result from your search, select Create Multiple ServiceNow Security Events.
    • To create one incident per result from your search, select Create Multiple ServiceNow Security Incidents.
  7. Set any defaults, as needed.
    Figure 1. Default values for security incidents
    Defaults for a security incident
    Figure 2. Default values for security event
    Defaults for a security event
    If the field in the search result is blank or not present, the defaults are used. If there is a value in the result, the defaults are overwritten.