Configure ServiceNow to integrate with the Splunk platform
Integrate ServiceNow with your Splunk platform instances to enable users to create incidents and events in ServiceNow using:
- Custom generating search commands
- Custom streaming search commands
- Alert-triggered scripts
Your integration method depends on the version and deployment of your ServiceNow instance:
Version | ServiceNow deployment | Instructions |
---|---|---|
Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, Washington DC, and Xanadu | ServiceNow in the cloud | Apply the integration application |
Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, and Washington DC, and Xanadu | ServiceNow bare metal installation on-premises | Use an update set |
If you want to perform push integration with the ServiceNow Event table, you must have the Event Management plugin installed and enabled before you proceed. See Hardware and software requirements for details about which features require this additional plugin.
See custom generating search commands, custom streaming search commands, and alert-triggered scripts, to learn more about integrating ServiceNow with your Splunk platform instances.
Apply the integration application
Download the Splunk Integration application from the ServiceNow app store and configure it.
- Navigate to the ServiceNow app store and search for the Splunk Integration application (reference).
- Download the Splunk Integration application.
- Deploy the Splunk Integration application on your ServiceNow instance.
- Log in to your ServiceNow instance as an administrator.
- Create the service account with the same user name you defined in the add-on setup. For example,
splunk_user
. - Assign the user the role of
x_splu2_splunk_ser.Splunk
. - (Optional) If you want to use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
- (Optional) In the Requires Role section, enter
x_splu2_splunk_ser.Splunk
. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators. - (Optional) Repeat steps 7 and 8 for
sys_audit
,sys_audit_delete
,sysevent
andsyslog_transaction tables
. - (Optional) If you want to use
sys_choice
table input, update the " sys_choice.* " access control of the table, by addingx_splu2_splunk_ser.Splunk
role in Requires Role section. - (Optional) Repeat steps 7 and 8 for any additional database tables that you want to index.
Use an update set
In order to get the update set XML files, contact the ServiceNow support team and follow the below instructions.
Install the file that matches your version on your ServiceNow instance
- Log in to your ServiceNow instance as an administrator.
- Navigate to User Administration to temporarily add the
security_admin
role to your user. - Navigate to System Update Sets.
- Follow the instructions in the ServiceNow documentation to apply the Update Set. See Save an update set as a local XML file and Transferring Update Sets for detailed instructions.
If you see the error "Could not find a record in sys_report referenced in this update", you can ignore it.
- Create the service account with the same user name you defined in the add-on setup. For example,
splunk_user
. - Assign the user the
Splunk
role. This grants theitil
role. - (Optional) To use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
- (Optional) In the Requires Role section, enter
Splunk
. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators. - Repeat steps 7 and 8 for any additional database tables that you want to index.
Configure ServiceNow to collect data using the OAuth authentication mechanism
Configure the Application Registry on your ServiceNow instance to use OAuth 2.0 authentication.
- Obtain your Splunk platform deployment's redirect URL.
- When you add an account in the Splunk Add-on for ServiceNow, choose OAuth 2.0 authentication as your authentication type. The redirect URL appears.
- Copy the redirect URL. It needs to be pasted into your ServiceNow Application Registry.
- Log in to your ServiceNow instance, using the ServiceNow UI.
- Navigate to System Oauth > Application Registry.
- Click New.
- Navigate to the interceptor page, and click Create an OAuth API endpoint for external clients
- Fill in the form.
- Enter a unique Name.
- In the Redirect URL field, paste your redirect URL.
- Configure the value of the Refresh Token Lifespan parameter as high as possible so that it does not expire. Once the refresh token expires, you have to reconfigure the account.
- Verify that the PKCE Required function is disabled.
- Click Submit.
The following OAuth 2.0 roles are required for the ServiceNow User:
- itil
- oauth_user
- oauth_admin
- rest_api_explorer
- rest_service
- x_splu2_splunk_ser.Splunk
Upgrade the Splunk Add-on for ServiceNow | Set up the Splunk Add-on for ServiceNow |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!