Monday, February 22, 2021

A new book on ServiceNow Event Management is available!

I just published my first book, Migrating to ServiceNow Event Management. In it, I provide tips and recommendations for migrating from an existing event management system to ServiceNow ITOM Event Management. The book provides details on some of the differences that exist between ServiceNow and event management systems that are not integrated with a CMDB. A large part of the book is devoted to the organizational information you need to capture to ensure a successful migration. 

It's available on Amazon in paperback or on Kindle.

Tuesday, December 29, 2020

ServiceNow Event Rules: No support for If..Then..Else in regex

The Transform and Compose Alert Output section of an Event Rule in ServiceNow allows you to use regular expressions and grouping to parse data in incoming events. Almost full regular expression support is provided, but I wanted to point out one feature that's definitely not supported as of the Paris release: if..then..else conditionals. Here's a great description of this feature from Basically, the format of this conditional is:


It's somewhat esoteric, but it can be useful in cases where you have two different string formats that you want to parse in a single event rule. I just tested this thoroughly on my dev instance, and it absolutely is not supported. While you can save the event rule with this syntax, you'll eventually see an error stating:

Invalid Regular Expression Field

I believe this is due to the fact that the regular expression engine does not support "lookbehind" (limitation documented here). In any case, it's not supported. I just wanted to document my findings here to save others a little headache.

Update 1/3/2021

The official name for this is Conditional Lookahead. You can play around with it at if you're interested. 

And to make sure I was doing it correctly, I also tried this syntax in the Event Rule transform:


This works in regex101, but gives the Invalid Regular Expression Field in the ServiceNow interface.

Friday, August 14, 2020

ServiceNow ITOM Health - Using a complex algorithm to bind an Alert to a CI

 By default with ServiceNow ITOM Health Event Management, an Alert is bound to a CI following this flowchart:

In 95-99% of implementations, you should work to configure components appropriately to leverage the above flow. 

However, there are some number of unique cases where you need to do something extremely specific that falls outside of the above decision-making process. For those cases, you will want to modify one or more of the Advanced Scripts under Event Management->Settings in the navigator. Specifically, to change the bound CI, you would modify the EvtMgmtCustom_PostBind_Create script to suit your needs. In this script, you can do anything you want to the alert GlideRecord before it's actually written to the database. 

Read the warnings in the script definition to realize that you do NOT want to modify this script unless you know what you're doing and have some very efficient code to run. But for those few cases where you need to set the bound CI according to some esoteric algorithm, this script is where it can be done.

Monday, February 17, 2020

How to reconfigure your ServiceNow MID server when your developer instance changes URLs

If your developer ServiceNow instance is hibernated, it may be assigned a new URL. This will break your MID server(s).

To fix this:

cd /servicenow/<midservername>/agent
vi config.xml

search for the old URL
update it
if the password has changed, put the new password in the file unencrypted. On startup, it will get encoded and encrypted.


Go to your instance to check the status of your MID servers.

Thursday, February 13, 2020

Customizing the ServiceNow Netcool Connector

UPDATE 5/1/2020

You can update this script through the ServiceNow GUI. The navigator item to select is "Script Files" under "MID Server". And the name of the script is NetcoolConnector. Edit in the GUI and it gets updated on all of your MID servers.


The ServiceNow Netcool Connector (introduced at some point before the New York release) allows you to pull events from a Netcool ObjectServer into ServiceNow. The connector is a process that runs on a MID Server. Within the ServiceNow interface, there are only a few configuration options (userid/password, JDBC URL, how often to run, etc.). However, there are no filters to configure. That's because the connector is a straightforward Groovy script that you can edit as needed on the MID Server.


The Netcool Connector script is found on the MID Server in the file .../agent/scripts/Groovy/NetcoolConnector.groovy. Some of the interesting parts of the script are the actual query that's run:

query = "select top 3000 Identifier,Node,NodeAlias,AlertKey, Manager,Agent,AlertGroup,Severity,Type,Summary,Acknowledged,LastOccurrence,StateChange,SuppressEscl from alerts.status where StateChange > " + lastTimeSignature + " and Manager not like '^.*Watch\$' order by StateChange asc";

That is exactly the query that's run, and you can edit it to include custom fields, for example. To complete the customization, you also need to update the createEvent() function to actually include those custom fields in the event that's created in ServiceNow. In there you can also do any hard-coded transforms that are required or anything else.

Wednesday, January 16, 2019

Improving the QRadar to ServiceNow integration by adding QRadar event payloads to ServiceNow incident

Using the standard configuration for the QRadar/ServiceNow integration gives you some great capabilities, but some of our customers have asked for more information in the generated ServiceNow incidents. Specifically, they've asked to have the payloads from the events associated with the offense to be added to the Description of the incident in ServiceNow. This provides extensive details about the events that triggered the offense in one pane of glass so the SOC engineer doesn't have to separately open QRadar to get this information.

This can be accomplished my making some configuration changes in both QRadar and ServiceNow. I'll provide the overview here. If you would like more details, please contact me.

1. Add the offense start time to the incident description in the mapping within QRadar.
2. Create a ServiceNow business rule to parse the offense id and start time from the description whenever a new incident is created from QRadar.
3. In that same business rule, use the offense id, start time and a stop time (equal to start time +1) to submit an Ariel query to QRadar via REST to have the query run.
4. In that same business rule, parse the results of the previous REST call to get the results id, then make a second REST call to obtain the actual results, which will be the payloads of the events that caused the offense (and resulting incident) to be created.

The solution doesn't tax either system very much at all and makes life easier for the security engineer researching the issue.

Thursday, September 6, 2018

Some of our current projects

We work with a pretty wide array of products, so I wanted to highlight some of the projects we're working on right now

ServiceNow Architecture and Implementation

We're working with a communications company to implement their procurement, installation and change processes within ServiceNow, with asset feeds from multiple external systems.

ServiceNow Incident Response integration with QRadar

We're helping our client customize both products and the integration between them to best leverage their existing investment and people.

IBM Control Desk for Field Service Management

We're helping a different communications customer with their field service management through workflows and custom user interfaces defined in IBM Control Desk.

Netcool Operations Insight Implementation

We're actually working on several of these at the moment. The most work on these goes into identifying the different event sources, what (if any) automated actions need to be performed and who needs to be notified.

BigFix Steady State

A medical client of ours has been leveraging our BigFix Managed Services for several years to ensure that all IT equipment is both known and is running software at the appropriate patch level.

ICD and BigFix Implementation with Airgap

We're working with a defense contractor to ensure that their Asset Management and Change Management processes continue to work smoothly leveraging ICD and BigFix

Wednesday, August 29, 2018

ServiceNow - requiring input from a user completing a task from workflow


A normal part of workflow is requiring some additional information from someone involved in the workflow. A lot of information can be captured automatically, but there often seems to be some information that must be input manually by someone simply because not everything can be determined within an algorithm. This may be because the information is maintained in a separate, walled-off system, or it could be because the sensors required to gather the information aren't yet deployed, etc.

In ServiceNow IT Operations Management, you have this ability Out-of-the-box when dealing with Service Catalog Items. A Service Catalog Item is also known as a Requested Item or an RITM. Specifically, you can define Variables that are associated with an RITM, and those Variables are then available for use within any Catalog Tasks that you create within the workflow for that RITM. Without a little customization, this feature is ONLY available within workflows that target the sc_req_item table. So if you require some generic user input as part of a change task, for example, you need to perform the customizations detailed here.

Here is a link to a great article on this very topic. That post is a little old (from 2010), so the information is a bit dated and very terse. I'm writing this article to update the information and to clarify a few pieces to make it clearer.

I suggest you read through these instructions once or twice before you start trying to follow them. Then re-read them as you're implementing them. The pieces will come together for you at some point, just probably not immediately unless you've worked on this area of ServiceNow a bit.

What's already in place?

Basically, almost all of the components needed to provide this capability already exist in the system, so there's only one place that you'll have to add some code. Everything else is just customization.

By default there are two tables that already exist in ServiceNow for this very purpose:

Question [question]
Question Answer [question_answer]

(The format of these names is a common one that you'll see in ServiceNow. It is
"Label [actual_table_name]")

The Question table holds all of the questions/variables defined in the system. What's specified here is the text of the question and the type of field required (simple text field, choice list, reference, etc.)

The Question Answer table exists to hold one entry for each question and its answer associated with an "entity". For the purpose of this article, the "entity" we'll be adding question/answer pairs to is a change_task item.

Note: Catalog Items already use both the question and question_answer tables to store the Variables (options) that can be specified for each item. 

Areas that need to be customized

You will need to make customizations in the following areas:

1. Workflow->Administration->Activity Definitions

In here, you need to edit the definition for the Create Task activity. The customizations we're making here will allow us to add Questions to a Create Task workflow activity when we add it to the workflow canvas.

Click on Create Task to edit its definition:

As with most forms in ServiceNow, there are numerous fields and sections within this form. 

Define new variable

The first thing we need to do is define a new variable in the bottom section named "Activity Variables":

Add a variable of type "List", with a label of "Questions" with a Column name of "task_questions" (this name will have "u_" prepended to it once you click Submit), and that this is a Reference to the table Question:

Edit the script

The next thing we need to do is add to the script on the Script tab near the top of the page:

In here, you're going to add two pieces of code. In the onExecute function, you're going to add this code, which references the variable you defined in the last step:


Add it before the call to this.autoClose(taskID), as shown here:

The purpose of this portion of code is to call our function (defined in the next paragraph) when the "Create Activity" task actually creates a task as part of a workflow.

The next piece of code you'll add is the definition of the _setVars() function that's called in the code you just inserted. This is the code you'll add:

_setVars: function(taskID){
   var questions = activity.vars.u_task_questions;
   questions = questions.split(",");
  var qa = new GlideRecord("question_answer");
  qa.question = questions[i];
  qa.table_name = activity.vars.task_table;
  qa.table_sys_id = taskID;

Add it after the _generate function definition, as shown here:

The purpose of this code is to add one entry to the question_answer table for each of the questions that are defined for this particular workflow activity task. We'll see this in action later.

Edit the Create Task form

Now that you've got a variable to hold the questions for the task and you've got the code in place to add each of the questions to each new task that will be created by this workflow activity, you need to edit the form to actually let someone choose the questions that will be presented in the task. For this, you need to click on the Edit Variables Layout link in the Related Links section of the Create Task Workflow Activity Definition (hint: this section is directly under the "Update" button under the body of the script):

In here, drag and drop your new "Questions" field  wherever you'd like to see it on the form. I've placed mine in the second section of the form:

That's the end of the customizations you need to make to the Workflow Activity Definition. If you want to see the fruits of your labor, you can open the Workflow Editor and create a new workflow, and drop the Create Task activity onto it. Here's what it looks like by default:

And here it is with the new "Questions" field:

We'll come back to the Workflow Editor later. 

2. System UI->Formatters

You now need to create a UI Formatter to display the list of questions and answers. This is covered in the ServiceNow documentation here:

Basically, you just need to create a new UI Formatter that specifies the name you want (I chose "FTQuestionFormatter), the "Formatter" value as com_glideapp_questionset_default_question_editor and you need to specify the type of task that you're going to be creating. In my case, I'm working with a Change Task (the change_task table):

You don't need to change anything about the UI Macro for this formatter - it's written to do exactly what we need.

3. Change Task default view

This is described in the product documentation link above, but I'm including it here for completeness. Since I decided to make this feature available to Change Tasks, that's the form we're going to work with. The most straightforward way to edit this form is to go to System Definition->Tables and select the Change Task [change_task] table

Then scroll down to the middle of the page to select the Design Form Related Link to open the Form Designer, and there you can drag your UI Formatter from the Formatters section (on the left under "Fields") onto the form where you want the questions displayed. I put mine at the bottom of the second section:

This formatter will ONLY show something if the change task you're viewing actually has questions defined. That means that ONLY change tasks created from the workflow that you create in the next step will have anything shown. So at this point, you won't see anything different on any existing change tasks.

4. Service Catalog->Catalog Variables->All Variables

Here is where you need to define any "Questions" (aka Variables) that you want to see on the tasks you'll create later. The main tip here is that you don't need to specify a value for the Catalog Item field, as what we're doing has nothing to do with catalog items. In fact, catalog items already have this capability built-in, with some additional capabilities. What we're configuring is a bit more generic, but we're using the built-in forms to accomplish our goal.

5. Workflow->Workflow Editor

At this point, you can edit a workflow that targets a table that extends the task table and drag the "Create Task" Core Activity onto the canvas. When you do, you'll see your Questions field:

Make sure to select the appropriate type of task - Change Task. This does NOT work for Task items directly in the Task table. This is important to remember! You will not see a successful result if you select "Task".

You can click the padlock icon to open it, then click the magnifying glass to search for your questions:

You'll see ALL of the variables/questions in the questions table. Pick the ones you want displayed to the person assigned the task.

The Result

Now when this task is assigned to a user, that user will see the task in "My Work" and will see that they have the option to provide values for all of the questions selected in the workflow design:


You now have the ability to prompt users for additional input when they're completing a task as part of a workflow. You still need to write scripts to access that data, perform validation, make decisions, etc., and I'll leave that for another day.