NeophyteNeophyteThe idea here ultimately is to have LM trigger an escalation 1 hour after an alert/SNow Incident is created which will add an Incident Task to the Incident. I have the SNow API string developed out to do so but need the sys_id field to attach it to the correct Incident. So, the custom HTTP integration is to send that API call to the same ServiceNow instance.
AdvisorWe have a similar issue with trying to do an integration with BMC Remedy. Although we can get back an Incident ID on the initial Incident creation, sending updates requires us to use a different value (a Remedy internal ID for the Incident, much like a sysid in Service Now). So you have to make an API call to get that value first, then use it in your update calls - it seems some updates need multiple calls as well.
Long story short, we can't do this natively, so we're developing our own automation to deal with it. LM will send to our automation platform via Custom HTTP Integration, our platform will deal with the translation.
I did recently speak to someone in LM PS who said they had done something similar using a data source. We didn't go into details, but I suppose that runs a "collection" script that queries the LM API for new alerts periodically and then makes all the API calls required.
Interesting workaround, perhaps that could work for you? Maybe have a data source that queries the LM API for alerts that are 1 hour old that have a Service Now ticket ID in them, then make the API calls you require to add an Incident Task? I think that could work.
NeophyteAnd of course, I figured out the issue there, I had forgotten the x-version:3 header. Once I added that, I got the URL, so I should be able to strip it and add as a datapoint.
Thanks for the help, Dave!
NeophyteThat's actually an interesting idea, I'll see what I can do along those lines. I'll need to sharpen up on my LM API skills, to be sure :D
AdvisorI can't take credit for that idea, it was mentioned by a chap in LM Pro Services. My "go to" for automation tends to be stuff running Azure Functions, but using a data source to run this stuff is an interesting approach indeed!
NeophyteI will say, I've been digging since I posted earlier and while it looks like /alert/alerts should return "alertExternalTicketUrl", I don't ever get that response when pulling the alerts list. Was thinking that if that were possible, I could strip out the sys_id that is at the end of the URL for SNow.
AdvisorAwesome! I hadn't even noticed that the sysid was at the end of the URL it gives you, that's really useful.
NeophyteJust to leave this here for anyone else who may find they want the sys_id from ServiceNow, I've written a standalone powershell script that I'm going to integrate into a datasource, based on Dave's suggestion above.
# ==============================
# LogicMonitor Alert Fetch Script (ServiceNow sys_id only)
# ==============================
param(
[Parameter(Mandatory=$true)]
[string]$HostnameToSearch,
[Parameter(Mandatory=$)]
[string]$accessToken,
[Parameter(Mandatory=$true)]
[string]$CompanyName
)
# --- CONFIGURATION ---
$logicMonitorDomain = "$CompanyName.logicmonitor.com" # e.g., mycompany.logicmonitor.com
# --- API ENDPOINT ---
$baseUrl = "https://$logicMonitorDomain"
$alertsEndpoint = "$baseUrl/santaba/rest/alert/alerts"
# --- Headers for Bearer Auth ---
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
"X-Version" = "3"
}
# Build filter properly
$filterValue = "monitorObjectName%3A%22$hostnameToSearch%22"
$filterEncoded = [System.Uri]::EscapeDataString($filterValue)
# Construct full API URL
$url = $alertsEndpoint + "?filter=$filterValue"
Write-Host $baseUrl
Write-Host $alertsEndpoint
Write-Host "Final API URL: $url"
# --- Invoke API Request ---
try {
Write-Host "Querying LogicMonitor alerts with external tickets for hostname: $hostnameToSearch`n"
Write-Host $url
$response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
# Filter only alerts that have a valid alertExternalTicketUrl
$alertsWithTickets = $response.items | Where-Object {
$_.PSObject.Properties.Name -contains "alertExternalTicketUrl" -and
![string]::IsNullOrWhiteSpace($_.alertExternalTicketUrl)
}
# if ($alertsWithTickets.Count -eq 0) {
# Write-Host "No alerts with external tickets found for host: $hostnameToSearch"
# } else {
Write-Host "`nFound $($alertsWithTickets.Count) alerts with ServiceNow tickets:`n"
foreach ($alert in $alertsWithTickets) {
Write-Output "Alert ID: $($alert.id)"
Write-Output "Severity: $($alert.severity)"
Write-Output "Message: $($alert.message)"
Write-Output "Start Time: $([datetime]::FromFileTimeUtc($alert.startEpoch * 10000 + 116444736000000000))"
$ticketUrl = $alert.alertExternalTicketUrl.servicenowIncidentLinks
Write-Output "External Ticket URL: $ticketUrl"
if ($ticketUrl -match "%3D([a-fA-F0-9]{32})") {
$sysId = $matches[1]
Write-Output "ServiceNow sys_id: $sysId"
}
else {
Write-Warning "Could not extract valid sys_id from: $ticketUrl"
}
Write-Output "--------------------------`n"
# }
}
}
catch {
Write-Error "Failed to retrieve alerts: $_"
}
