Integrating ServiceNow Incidents with Elastic AI Agents for Observability Analysis

Introduction This is an example of calling an Elastic AI Agent from a ServiceNow incident. Based on the details recorded in the incident, you can have the AI Agent perform observability analysis as needed. I am not very familiar with ServiceNow, so I implemented this while consulting with Gemini. Please note that this may not be the most optimal implementation. The ServiceNow version used is Zurich. Component Flow The workflow involves having the Elastic AI Agent investigate the incident details and recording the returned results back into the incident. [ServiceNow Incident] │ ▼ [UI Action (Manual Trigger)] │ ▼ [ServiceNow Flow Designer (Subflow)] │ ▼ [ServiceNow Action (Integration Step)] │ ▼ [Elastic Workflow (Orchestration)] │ ▼ [Elastic AI Agent (Agent Builder)] │ ▼ [Elasticsearch Observability Data] Elastic Side Configuration Elastic Workflow Save a Workflow with the following definition. Make sure to copy the Workflow ID included in its URL, as you will need it later to call it from ServiceNow. name: test_servicenow enabled: true triggers: - type: manual inputs: - name: incident_number type: string required: true - name: incident_sys_id type: string required: true - name: short_description type: string required: true - name: priority type: string required: true steps: - name: console type: console with: message: "{{inputs.incident_number}} {{inputs.incident_sys_id}} {{inputs.priority}} {{inputs.short_description}}" - name: check_with_ai_agent type: ai.agent with: message: "Output in plain text format and **NO** markdown. Check index: kibana_sample_data_flights and get information of: {{ inputs.short_description }}" - name: post_to_snow type: http with: url: "https://<Your ServiceNow ID domain>/api/now/table/incident/{{ inputs.incident_sys_id }}" method: PATCH headers: Authorization: "Basic <Your user:password base64>" Content-Type: "application/json" body: '{"work_notes": "{{ steps.check_with_ai_agent.output.message | replace: "\n", "\\n"}}"}' For the Basic key above, set the base64-encoded string of username:password. In this example, I used the ServiceNow admin user and password for testing. (On Mac, you can use the output of echo -n "admin:xxx" | base64). ServiceNow Side Configuration System Definition > Script Includes // Script Include: ElasticKibanaHelper // Scope: Global // Client callable: false var ElasticKibanaHelper = Class.create(); ElasticKibanaHelper.prototype = { initialize: function() { this.baseUrl = 'https://<xxx>.elastic.cloud'; this.apiKey = gs.getProperty('elastic.kibana.api_key', ''); this.timeout = 30000; // 30 seconds }, /** * Trigger a Kibana Workflow by ID. * * @param {String} workflowId - The Kibana workflow ID to run * @param {Object} bodyParams - Optional JSON payload to send with the request * @returns {Object} - { success: Boolean, status: Number, body: Object, error: String } */ runWorkflow: function(workflowId, bodyParams) { if (!workflowId) { return this._error('workflowId is required'); } if (!this.apiKey) { gs.error('ElasticKibanaHelper: elastic.kibana.api_key system property is not set'); return this._error('API key not configured. Set the elastic.kibana.api_key system property.'); } var endpoint = this.baseUrl + '/api/workflows/workflow/' + workflowId + '/run'; var payload = JSON.stringify({ inputs: bodyParams || {} }); try { var request = new sn_ws.RESTMessageV2(); request.setEndpoint(endpoint); request.setHttpMethod('POST'); // ── Authentication ────────────────────────────────────────────── request.setRequestHeader('Authorization', 'ApiKey ' + this.apiKey); // ── Standard headers ──────────────────────────────────────────── request.setRequestHeader('Content-Type', 'application/json'); request.setRequestHeader('kbn-xsrf', 'true'); // Required by Kibana REST API // ── Body ──────────────────────────────────────────────────────── request.setRequestBody(payload); // Timeout request.setEccParameter('connect_timeout', this.timeout); request.setEccParameter('read_timeout', this.timeout); var response = request.execute(); var statusCode = response.getStatusCode(); var bodyText = response.getBody(); gs.info( 'ElasticKibanaHelper.runWorkflow | workflowId=' + workflowId + ' | status=' + statusCode ); var parsedBody = {}; try { parsedBody = JSON.parse(bodyText); } catch(e) { parsedBody = { raw: bodyText }; } if (statusCode >= 200 && statusCode < 300) { return { success: true, status: statusCode, body: parsedBody, error: null }; } gs.error( 'ElasticKibanaHelper.runWorkflow: HTTP ' + statusCode + ' for workflowId=' + workflowId + ' | body=' + bodyText ); return { success: false, status: statusCode, body: parsedBody, error: 'HTTP ' + statusCode + ': ' + (parsedBody.message || bodyText) }; } catch(ex) { gs.error('ElasticKibanaHelper.runWorkflow exception: ' + ex.message); return this._error(ex.message); } }, // ── Private helpers ─────────────────────────────────────────────────────── _error: function(msg) { return { success: false, status: null, body: null, error: msg }; }, type: 'ElasticKibanaHelper' }; Configure Elastic Authentication API Key via sys_properties.list Set the property: elastic.kibana.api_key Flow Designer (Workflow Studio) > Actions Inputs Script - Input Variables Script - Script // Flow Designer Action Script Step // Action name: Run Elastic Kibana Workflow // Step name: Invoke Kibana Workflow API // // Inputs (mapped from Action Inputs above): // inputs.workflow_id → String // inputs.incident_number → String // inputs.incident_sys_id → String // inputs.short_description → String // inputs.priority → String // // Outputs to set: // outputs.success → Boolean // outputs.response_status → Integer // outputs.response_body → String // outputs.error_message → String (function execute(inputs, outputs) { var helper = new ElasticKibanaHelper(); // Build the payload sent to Kibana var payload = { source: 'ServiceNow', incident_number: inputs.incident_number || '', incident_sys_id: inputs.incident_sys_id || '', short_description: inputs.short_description || '', priority: inputs.priority || '', triggered_at: new GlideDateTime().getDisplayValue() }; var result = helper.runWorkflow(inputs.workflow_id, payload); // ── Map results to Action outputs ──────────────────────────────────────── outputs.success = result.success; outputs.response_status = result.status ? String(result.status) : ''; outputs.response_body = result.body ? JSON.stringify(result.body) : ''; outputs.error_message = result.error ? result.error : ''; if (!result.success) { // Surface the error in the flow execution log gs.error( 'Run Elastic Kibana Workflow action failed | ' + 'incident=' + inputs.incident_number + ' | workflowId=' + inputs.workflow_id + ' | error=' + result.error ); } })(inputs, outputs); Script - Output Variables Flow Designer (Workflow Studio) > Subflows The ID of the Elastic Workflow to be executed is hardcoded here. All > System Definitions > UI Actions Check Form button and set the Script. (function() { try { var inputs = {}; // Set "current" to the "Name" defined in the Subflow Input (e.g., incident_record) inputs['incident_record'] = current; // Test with "synchronous execution" that is guaranteed to work // * Be sure to use the Internal Name copied from the Subflow Properties for 'global.xxx' var result = sn_fd.FlowAPI.executeSubflow('global.from_button_trigger_elastic_investigation', inputs); // For synchronous execution, you can directly retrieve information from the returned object gs.addInfoMessage('Executed Subflow'); } catch (ex) { // Force display of the error type and details var errorDetail = (ex.message) ? ex.message : ex.toString(); gs.addErrorMessage('[Debug] Error details: ' + errorDetail); // Also output detailed information to the system log (sys_log) gs.error('Subflow Debug: ' + errorDetail); } // Keep the current screen action.setRedirectURL(current); })(); Testing the Operation! Create an Incident in ServiceNow. Confirm that the Execute data investigation in Elastic AI button appears in the top right. The Short description will be the investigation request sent to the Elastic AI Agent. Save the Incident once, then open it again and execute the button. Confirm that "Executed Subflow" is displayed. Confirm that the Elastic Workflow is executed successfully. Confirm that the results from the Elastic AI Agent are returned to the Incident. Conclusion Before the era of AI Agents, the data returned by such integrations was very limited. Now, AI Agents can perform various analyses and return them in a human-readable format, making them highly effective for incident management.

Read full story →