Forum Discussion

teppotahkapaa's avatar
3 months ago

Sending Sub-ID information into incident integration

When SL1 sends event to, in our case, using SL PF Incindent Sync to ServiceNow, other systems it quite often includes the sub-id information also in that message. Normally that is also used as correlation ID in ServiceNow. Example here what is seen in SN:

So some events utilize other sub-id's than those ootb cpu/mem/disk/etc. 

We would also use that kind of feature in our own event policies to send numeric (or string) information in that field. But we have not yet found a place where we can control that. So how is that information sent to servicenow. What fields in event message are used for that info?

  • Not sure if this suits your use case,  but we often extract details from the event message using regex groups.  The returned values are used to populate the sub_id field and this is used to then control the uniqueness of the Incident in ServiceNow.

    In the version of the ServiceNow Incident Sync pack we are using (3.0.1), the correlation_id is built in PowerFlow and passed to ServiceNow in the payload. The %Y (sub entity name) runbook variable is used to populate the sub_id value.  Example resulting correlation id below :

    ScienceLogicDev+DEV+783889+EVENT+8185+SUB-ID-dcllnp30_b002;4062078;10/24/2024 11:12:26

    I understand that in later versions of the Incident Sync Pack/Incident Scoped app the correlation id is calculated in ServiceNow so the behavior may differ.

    • teppotahkapaa's avatar
      teppotahkapaa
      Icon for Expert rankExpert

      Yes, it was not that easy.

      So we can send the sub entity name to servicenow but it is not mapped to correlation ID. Unfortunately. Still all events are pointed to one incident whereas the need is to get them as separate incident if that sub entity is different

      • justinelborough's avatar
        justinelborough
        Icon for Contributor rankContributor

        Hi

        I'm finding this exact behavior when testing the latest version of the app.  In the example I gave previously when the correlation_id is built in PowerFlow (old sync pack version)  it uses the sub_entity_name value (%Y) for the sub_id value :

        In the later version when its calculated in SNOW it calls the determineCorrID function in the TaskMappingHelper script include to generate the correlation_id field value.  In that function its using the u_sub_entity_id field value in the import table for the sub_id value :

         We are testing a solution where we've cloned the TaskMappingHelper script include in SNOW and have updated the function to use source.u_sub_entity_name field instead of source.u_sub_entity_id

        This seems to be working for us.  Unique incidents are created for different sub-entity values based on the sub_entity_name field. 

        hope this helps !