Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Enable saved searches for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes preconfigured lookup generation saved searches.

If you are deploying the add-on in a single instance environment, enable all of the saved searches to populate lists of users, servers, locations, and services for use in your Splunk platform deployment.

If you are deploying the add-on in a search head cluster environment, enabling these saved searches produces a large volume of data that affects your system's performance, as well as bundle replication.

Versions 3.0.0 and above of the Splunk Add-on for ServiceNow, by default, collects all display values directly from the API at the input phase. To revert to the previous behavior of collecting the display values using lookups and not directly from the API, see the Edit the display values for the ServiceNow API section of Upgrade the Splunk Add-on for ServiceNow.

Lookup generation saved searches

Review and enable the saved searches in Splunk Web or in the configuration files on your search heads.

Search name Description
ServiceNow Sys User List Saved search that populates the sys user of ServiceNow via the snow_sys_user_list_lookup KV Store lookup, and the sys user events that are indexed in the last 2 hours.

You must also enable the saved search ServiceNow Sys User List - Last 30 days when enabling this saved search.

ServiceNow Sys User List - Last 30 days Saved search that populates the sys user of ServiceNow via the snow_sys_user_list_lookup KV Store lookup, and the sys user events that are available in the last 30 days.
ServiceNow Sys User Group List Saved search that populates the sys user group of ServiceNow via the snow_sys_user_group_list_lookup KV Store lookup.

This saved search and associated lookup is deprecated as it is being used with display_value=false, which is deprecated as part of version 6.3.0

ServiceNow CMN Location List Saved search that populates the CMN location of ServiceNow via the snow_cmn_location_list_lookup KV Store lookup, and the sys user events that are indexed in the last 2 hours.

You must also enable the saved search ServiceNow CMN Location List - Last 30 days when enabling this saved search.

ServiceNow CMN Location List - Last 30 days Saved search that populates the CMN location of ServiceNow via the snow_cmn_location_list_lookup KV Store lookup, and the CMN location events that are available in the last 30 days.
ServiceNow CMDB CI List Saved search that populates the CMDB CI of ServiceNow via the snow_cmdb_ci_list_lookup KV Store lookup.

This saved search and associated lookup is deprecated as it is being used with display_value=false, which is deprecated as part of version 6.3.0

ServiceNow CMDB CI Server Saved search that populates the CMDB CI Servers from ServiceNow via the snow_cmdb_ci_server_lookup KV Store lookup.
ServiceNow CMDB CI VM Saved search that populates the CMDB CI VMs from ServiceNow via the snow_cmdb_ci_vm_lookup KV Store lookup.
ServiceNow CMDB CI Infra Services Saved search that populates the CMDB CI Infra Services from ServiceNow via the snow_cmdb_ci_infra_service_lookup KV Store lookup.
ServiceNow CMDB CI Database Instances Saved search that populates the CMDB CI Database Instances from ServiceNow via the snow_cmdb_ci_db_instance_lookup KV Store lookup.
ServiceNow CMDB CI App Servers Saved search that populates the CMDB CI App Servers from ServiceNow via the snow_cmdb_ci_app_server_lookup KV Store lookup.
ServiceNow CMDB CI Relation Saved search that populates the CMDB CI Relations from ServiceNow via the snow_cmdb_rel_ci_lookup KV Store lookup.
ServiceNow CMDB CI Services Saved search that populates the CMDB CI Services from ServiceNow via the snow_cmdb_ci_service_lookup KV Store lookup.
ServiceNow Incident State Saved search that populates the incident states from ServiceNow via the snow_incident_state_lookup KV Store lookup.

This saved search and associated lookup is deprecated as it is being used with display_value=false, which is deprecated as part of version 6.3.0

ServiceNow Sys Choice List Saved search that populates the sys choice list from ServiceNow via the snow_sys_choice_list_lookup KV Store lookup.

Change search time interval of saved searches in Splunk Web

All saved searches run for the last 30 days of data, change the search time interval of saved searches to collect more data in Splunk web.

  1. On your search head, navigate to Settings > Searches, reports, and alerts.
  2. Set the app context to Splunk Add-on for ServiceNow.
  3. Click Edit > Edit Search next to the searches you want to change.
  4. Change the Earliest time field with a valid value. For example, to get the last 6 months of data, change the Earliest time field value to -6mon@mon.
  5. Save your changes.

Increasing the search time interval will decrease the performance of the Saved Search.

Change search time interval of saved searches in savedsearches.conf

All saved searches run for the last 30 days of data, change the search time interval of saved searches to collect more data in the configuration files.

  1. On your search head, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/, and create a savedsearches.conf file if it does not already exist.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/savedsearches.conf.
  3. Identify the searches that you want to change the interval, and copy them to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf.
  4. In $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf, change dispatch.earliest_time with a valid value for each search that you want to enable. For example, to get the last 6 months of data, change the dispatch.earliest_time field value to -6mon@mon.
  5. Save your changes.

Increasing the search time interval will decrease the performance of the Saved Search.

Access and enable saved searches in Splunk Web

Access and enable the saved searches in Splunk Web.

  1. On your search head, navigate to Settings > Searches, reports, and alerts.
  2. Set the app context to Splunk Add-on for ServiceNow.
  3. Click Enable next to the searches you want to enable.
  4. Save your changes.

Access and enable saved searches in savedsearches.conf

Access and enable the saved searches in the configuration files.

  1. On your search head, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/, and create a savedsearches.conf file if it does not already exist.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/savedsearches.conf.
  3. Identify the searches that you want to enable, and copy them to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf.
  4. In $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf, change Disabled = 1 to Disabled = 0 for each search that you want to enable.
  5. Save your changes.

Migrating from CSV lookups to KV store lookups

  1. Disable the savedsearches from Splunk Web on the search head.
  2. Execute the below SPL queries to migrate existing CSV lookup data to KVStore from your search heads:
    1. | inputlookup snow_incident_states.csv | outputlookup snow_incident_state_lookup
    2. | inputlookup snow_sys_user_group_list.csv | outputlookup snow_sys_user_group_list_lookup
    3. | inputlookup snow_sys_user_list.csv | outputlookup snow_sys_user_list_lookup
    4. | inputlookup snow_cmdb_ci_list.csv | outputlookup snow_cmdb_ci_list_lookup
    5. | inputlookup snow_cmn_location_list.csv | outputlookup snow_cmn_location_list_lookup
    6. | inputlookup snow_cmdb_ci_services.csv | outputlookup snow_cmdb_ci_service_lookup
    7. | inputlookup snow_cmdb_rel_ci.csv | outputlookup snow_cmdb_rel_ci_lookup
    8. | inputlookup snow_cmdb_ci_servers.csv | outputlookup snow_cmdb_ci_server_lookup
    9. | inputlookup snow_cmdb_ci_vms.csv | outputlookup snow_cmdb_ci_vm_lookup
    10. | inputlookup snow_cmdb_ci_infra_services.csv | outputlookup snow_cmdb_ci_infra_service_lookup
    11. | inputlookup snow_cmdb_ci_db_instances.csv | outputlookup snow_cmdb_ci_db_instance_lookup
    12. | inputlookup snow_cmdb_ci_app_servers.csv | outputlookup snow_cmdb_ci_app_server_lookup
    13. | inputlookup snow_sys_choice_list.csv | outputlookup snow_sys_choice_list_lookup
  1. Enable the savedsearches from Splunk Web on the search head.
Last modified on 12 December, 2023
PREVIOUS
Configure inputs for the Splunk Add-on for ServiceNow 		  NEXT
Edit the display values for the ServiceNow API

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters