Multiple-record, custom field Splunk alerts Multi-record alerts (defined using the Create Multiple ServiceNow Security Incidents and Create Multiple ServiceNow Security Events trigger actions) can automatically create records with any set of fields supported. These act differently from the other alert actions in that default values are provided. However, most of the data comes from the search result for that alert. Note: In previous versions of the add-on and this documentation, scripted alerts were supported. That feature has been deprecated and replaced by these instructions. Create a multi-record, custom field Splunk alertTo create a multiple record Splunk alert with custom fields, you must build a search that is designed to match the ServiceNow columns you want to populate. Multi-record, custom field Splunk alert examplesWhen you are creating multiple record Splunk alerts with custom fields, you need to define search criteria for generating alert data. Examples of search criteria for security incidents and security events are shown.