Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Configure ServiceNow to integrate with the Splunk platform

If you want to enable users to create incidents and events in ServiceNow using the custom generating search commands, custom streaming search commands, or alert-triggered scripts, integrate ServiceNow with your Splunk platform instances. The way you perform this integration depends on the version and deployment of your ServiceNow instance.

Follow the guide that matches your version and deployment of ServiceNow.

Version ServiceNow deployment Instructions
Kingston, London and Madrid ServiceNow in the cloud Apply the integration application
Kingston, London and Madrid ServiceNow bare metal installation on-premises Use an update set

If you want to perform push integration with the ServiceNow Event table, you must have the Event Management plugin installed and enabled before you proceed. See Hardware and software requirements for details about which features require this additional plugin.

See custom generating search commands, custom streaming search commands, and alert-triggered scripts, to learn more about integrating ServiceNow with your Splunk platform instances.

Apply the integration application

Download the Splunk Integration application from the ServiceNow app store and configure it.

  1. Navigate to the ServiceNow app store and search for the Splunk Integration application.
  2. Download the Splunk Integration application.
  3. Deploy the Splunk Integration application on your ServiceNow instance.
  4. Log in to your ServiceNow instance as an administrator.
  5. Create the service account with the same user name you defined in the add-on setup. For example, splunk_user.
  6. Assign the user the role of x_splu2_splunk_ser.Splunk.
  7. (Optional) If you want to use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
  8. (Optional) In the Requires Role section, enter x_splu2_splunk_ser.Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.
  9. (Optional) Repeat steps 7 and 8 for sys_audit, sys_audit_delete, sysevent and syslog_transaction tables.
  10. (Optional) If you want to use sys_choice table input, update the " sys_choice.* " access control of the table, by adding x_splu2_splunk_ser.Splunk role in Requires Role section.
  11. (Optional) Repeat steps 7 and 8 for any additional database tables that you want to index.

Use an update set

In order to get the update set XML files, contact the ServiceNow support team and follow the below instructions.

Install the file that matches your version on your ServiceNow instance

  1. Log in to your ServiceNow instance as an administrator.
  2. Navigate to User Administration to temporarily elevate your privileges to include the security_admin role.
  3. Navigate to System Update Sets.
  4. Follow the instructions in the ServiceNow documentation to apply the Update Set. See Saving Cusomizations in a Single XML file and Transferring Update Sets for detailed instructions.

    If you see the error "Could not find a record in sys_report referenced in this update", you can ignore it.

  5. Create the service account with the same user name you defined in the add-on setup. For example, splunk_user.
  6. Assign the user the role of Splunk. Applying the Splunk role grants the itil role.
  7. (Optional) If you want to use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
  8. (Optional) In the Requires Role section, enter Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.
  9. Repeat steps 7 and 8 for any additional database tables that you want to index.
PREVIOUS
Upgrade the Splunk Add-on for ServiceNow
  NEXT
Set up the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Hi Raja8220,

Unfortunately, the latest version of the Splunk Add-on for ServiceNow does not support ServiceNow's New York release.

Nkaplan splunk, Splunker
October 3, 2019

If i update my servicenow to new york version then splunk plugin will work or i need to do any changes ??

Raja8220
October 3, 2019

Jason,

This add-on is compatible with Splunk 6.6+. If you look at the right side of the add-on in Splunkbase, it has all the supported versions. https://splunkbase.splunk.com/app/1928/

Adobrzeniecki splunk, Splunker
July 2, 2019

Hi

Is the latest servicenow addin compatible with version 6 of Splunk?

Thanks
Jason

Jaywaugh
July 2, 2019

The latest release of the Splunk add-on for ServiceNow supports the Kingston, London, and Madrid releases of ServiceNow.

Nkaplan splunk, Splunker
July 1, 2019

Hi FraserC1,

We do not currently have a timeline for an updated version of this add-on that will support the London or Madrid releases of ServiceNow.

Nkaplan splunk, Splunker
May 29, 2019

Do you know when this will be compatible with the London realease?

FraserC1
May 29, 2019

Hi Yorokobi,

The current (3.1.0) release of the Splunk Add-on for ServiceNow does not support the London or Madrid versions of ServiceNow.

Nkaplan splunk, Splunker
May 3, 2019

There are several releases of Service Now subsequent of Kingston. Is the TA compatible with the newer versions (London and Madrid)? If yes, please update the list of compatible Service Now versions.

Yorokobi
May 3, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters