Elastalert to PagerDuty to ServiceNow

If anyone has setups regarding the subject line, what yaml attribute controls the ServiceNow incident description?

Hi Joe,

By default, the ServiceNow “Short Description” is set by the incoming PagerDuty trigger webhook payload (JSON), with the value found in the “incident.title” field. If no value is found in “incident.title”, then the value in “incident.description” is used.

Any additional ServiceNow incident fields can be configured using “PagerDuty Inbound Field Rules”, where you can specify the ServiceNow field and which PagerDuty webhook payload field to use.

I am looking for Elastalert yaml attributes to set and verify.

Elastalert yaml attributes for PagerDuty alerts can be found here: https://elastalert.readthedocs.io/en/latest/ruletypes.html#pagerduty

This documentation article mentions the following regarding incident titles:
alert_subject: If set, this will be used as the Incident description within PagerDuty. If not set, ElastAlert will default to using the rule name of the alert for the incident.

Did some more digging and it would seem that alert_subject: is short description on the INC and alert_text: is description on the INC.

You can use any incoming event/alert metadata coming in from Elastic and then construct your desired incident title using PagerDuty event rule extraction and templates, creating a business-aligned context in your ServiceNow Incidents. This approach may be best if you don’t have access do configure/customize the ServiceNow PagerDuty app.

As for the “Description” field of ServiceNow incidents, PagerDuty out-of-box integration with ServiceNow does not map anything to that field, but you can create an inbound field rule to set it based on a field such as details from a webhook that PagerDuty sends to ServiceNow. You can find instructions on creating inbound field rules in PagerDuty KnowledgeBase here, and this example explaining how this can be done in case of Splunk > PagerDuty > ServiceNow incident flow might also be helpful.