Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure ServiceNow to integrate with the Splunk platform

Integrate ServiceNow with your Splunk platform instances to enable users to create incidents and events in ServiceNow using:

  • Custom generating search commands
  • Custom streaming search commands
  • Alert-triggered scripts

Your integration method depends on the version and deployment of your ServiceNow instance:

Version ServiceNow deployment Instructions
Quebec, Rome, San Diego, Tokyo, and Utah ServiceNow in the cloud Apply the integration application
Quebec, Rome, San Diego, Tokyo, and Utah ServiceNow bare metal installation on-premises Use an update set

If you want to perform push integration with the ServiceNow Event table, you must have the Event Management plugin installed and enabled before you proceed. See Hardware and software requirements for details about which features require this additional plugin.

See custom generating search commands, custom streaming search commands, and alert-triggered scripts, to learn more about integrating ServiceNow with your Splunk platform instances.

Apply the integration application

Download the Splunk Integration application from the ServiceNow app store and configure it.

  1. Navigate to the ServiceNow app store and search for the Splunk Integration application (reference).
  2. Download the Splunk Integration application.
  3. Deploy the Splunk Integration application on your ServiceNow instance.
  4. Log in to your ServiceNow instance as an administrator.
  5. Create the service account with the same user name you defined in the add-on setup. For example, splunk_user.
  6. Assign the user the role of x_splu2_splunk_ser.Splunk.
  7. (Optional) If you want to use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
  8. (Optional) In the Requires Role section, enter x_splu2_splunk_ser.Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.
  9. (Optional) Repeat steps 7 and 8 for sys_audit, sys_audit_delete, sysevent and syslog_transaction tables.
  10. (Optional) If you want to use sys_choice table input, update the " sys_choice.* " access control of the table, by adding x_splu2_splunk_ser.Splunk role in Requires Role section.
  11. (Optional) Repeat steps 7 and 8 for any additional database tables that you want to index.

Use an update set

In order to get the update set XML files, contact the ServiceNow support team and follow the below instructions.

Install the file that matches your version on your ServiceNow instance

  1. Log in to your ServiceNow instance as an administrator.
  2. Navigate to User Administration to temporarily add the security_admin role to your user.
  3. Navigate to System Update Sets.
  4. Follow the instructions in the ServiceNow documentation to apply the Update Set. See Save an update set as a local XML file and Transferring Update Sets for detailed instructions.

    If you see the error "Could not find a record in sys_report referenced in this update", you can ignore it.

  5. Create the service account with the same user name you defined in the add-on setup. For example, splunk_user.
  6. Assign the user the Splunk role. This grants the itil role.
  7. (Optional) To use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.
  8. (Optional) In the Requires Role section, enter Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.
  9. Repeat steps 7 and 8 for any additional database tables that you want to index.

Configure ServiceNow to collect data using the OAuth authentication mechanism

Configure the Application Registry on your ServiceNow instance to use OAuth 2.0 authentication.

  1. Obtain your Splunk platform deployment's redirect URL.
    1. When you add an account in the Splunk Add-on for ServiceNow, choose OAuth 2.0 authentication as your authentication type. The redirect URL appears.
    2. Copy the redirect URL. It needs to be pasted into your ServiceNow Application Registry.
  2. Log in to your ServiceNow instance, using the ServiceNow UI.
  3. Navigate to System Oauth > Application Registry.
  4. Click New.
  5. Navigate to the interceptor page, and click Create an OAuth API endpoint for external clients
  6. Fill in the form.
    1. Enter a unique Name.
    2. In the Redirect URL field, paste your redirect URL.
    3. Configure the value of the Refresh Token Lifespan parameter as high as possible so that it does not expire. Once the refresh token expires, you have to reconfigure the account.
    4. Verify that the PKCE Required function is disabled.
  7. Click Submit.

The following OAuth 2.0 roles are required for the ServiceNow User:

  • itil
  • oauth_user
  • oauth_admin
  • rest_api_explorer
  • rest_service
  • x_splu2_splunk_ser.Splunk
Last modified on 12 December, 2023
PREVIOUS
Upgrade the Splunk Add-on for ServiceNow 		  NEXT
Set up the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters