Neophyte
AdvisorLogicMonitor does store the Incident number and also seems to store a link to the Incident, which includes the sysid. If you query the LogicMonitor API for the information about an alert, you will see something like the following in the alertExternalTicketUrl column
"alertExternalTicketUrl": {
"servicenowIncidentLinks": {
"INC5132740": "https://XXXXX.service-now.com/now/nav/ui/classic/params/target/incident.do%3Fsys_id%3Db05f563a1b962a10438ced79b04bcb81"
}
},I don't think you would be able to access this from a token so you could pass it to a custom HTTP integration though.
Depending on what system you are hitting with your custom HTTPS integration, maybe you could pass it the alert ID, then maybe get your external system to query the LM API for the details of the alert, then parse the sysId from the alertExternalTicketUrl column?
Then again, if you can have the external system do that, you could instead just have it query Service Now to find the Incident based on the AlertId that will be stored against it.
If it helps, here's some python code I've pulled out of a bigger project, I think it'll work standalone
import requests
import json
import hashlib
import base64
import time
import hmac
instance = "xxxxx" # name of your ServiceNow instance
username = "xxxxx" # your ServiceNow username
password = "xxxxx" # your ServiceNow password
alertid = "xxxxxxxx" # LogicMonitor alert ID to search for
# Set up the API endpoint for incident search
uri = f"https://{instance}.service-now.com/api/now/table/incident"
# Set up authentication
auth_header = base64.b64encode(f"{username}:{password}".encode()).decode()
headers = {
"Accept": "application/json",
"Content-Type": "application/json",
"Authorization": f"Basic {auth_header}"
}
# Query parameters - search for the specific LogicMonitor alert ID and exclude certain incident states
# 7 = Resolved, 6 = Closed, 14 = Pending Closure
query_params = {
"sysparm_query": "x_lomo_lmint_logicmonitor_alert_id=" + alertid + "^incident_stateNOT IN14,6,7",
"sysparm_fields": "number,short_description,sys_id,state,priority,assigned_to,logicmonitor_alert_id",
"sysparm_limit": "1" # Limit to 1 result since we're looking for a specific record
}
try:
# Make the GET request to ServiceNow
response = requests.get(
uri,
headers=headers,
params=query_params
)
# Check if the request was successful
if response.status_code == 200:
print(f"Response: {response.text}")
result = response.json()
if result['result']:
logging.info("Incident found:")
logging.info(json.dumps(result['result'][0], indent=2))
return result['result'][0]
else:
print(f"No incident found with logicmonitor_alert_id={alertid}")
return None
else:
logging.error(f"Error: {response.status_code} - {response.text}")
return None
except Exception as e:
logging.error(f"Exception occurred: {str(e)}")
return None
NeophyteThe idea here ultimately is to have LM trigger an escalation 1 hour after an alert/SNow Incident is created which will add an Incident Task to the Incident. I have the SNow API string developed out to do so but need the sys_id field to attach it to the correct Incident. So, the custom HTTP integration is to send that API call to the same ServiceNow instance.
AdvisorWe have a similar issue with trying to do an integration with BMC Remedy. Although we can get back an Incident ID on the initial Incident creation, sending updates requires us to use a different value (a Remedy internal ID for the Incident, much like a sysid in Service Now). So you have to make an API call to get that value first, then use it in your update calls - it seems some updates need multiple calls as well.
Long story short, we can't do this natively, so we're developing our own automation to deal with it. LM will send to our automation platform via Custom HTTP Integration, our platform will deal with the translation.
I did recently speak to someone in LM PS who said they had done something similar using a data source. We didn't go into details, but I suppose that runs a "collection" script that queries the LM API for new alerts periodically and then makes all the API calls required.
Interesting workaround, perhaps that could work for you? Maybe have a data source that queries the LM API for alerts that are 1 hour old that have a Service Now ticket ID in them, then make the API calls you require to add an Incident Task? I think that could work.
NeophyteAnd of course, I figured out the issue there, I had forgotten the x-version:3 header. Once I added that, I got the URL, so I should be able to strip it and add as a datapoint.
Thanks for the help, Dave!
NeophyteThat's actually an interesting idea, I'll see what I can do along those lines. I'll need to sharpen up on my LM API skills, to be sure :D
AdvisorI can't take credit for that idea, it was mentioned by a chap in LM Pro Services. My "go to" for automation tends to be stuff running Azure Functions, but using a data source to run this stuff is an interesting approach indeed!
NeophyteI will say, I've been digging since I posted earlier and while it looks like /alert/alerts should return "alertExternalTicketUrl", I don't ever get that response when pulling the alerts list. Was thinking that if that were possible, I could strip out the sys_id that is at the end of the URL for SNow.
AdvisorAwesome! I hadn't even noticed that the sysid was at the end of the URL it gives you, that's really useful.
