Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Configure inputs for the Splunk Add-on for ServiceNow

After you set up the Splunk Add-on for ServiceNow, configure your inputs to collect data. Configure inputs on your data collection node, usually a heavy forwarder.

  1. In the Splunk Add-on for ServiceNow, click the Inputs tab.
  2. Click Create New Input.
  3. In the Add Inputs box, complete the following fields:
    Field Description Expected value
    Input Name Enter a unique name for the input. Input Name must begin with a letter and consist exclusively of alphanumeric characters and underscores. Maximum length allowed is 150 characters.
    Account Enter your ServiceNow account name.
    Collection interval The data collection interval, in seconds. Collection interval must be a non-zero integer.
    Table to collect data from Select a ServiceNow table from the list or enter a new custom table in the search box.
    Included properties Enter comma-separated fields from the database table to include. You can either include or exclude properties for an input but not both. Field(s) in the Included properties can contain characters in range of a to z (case sensitive), ., $ and digits.
    Excluded properties Enter comma-separated fields from the database table to exclude. Field(s) in the Excluded properties can contain characters in range of a to z (case sensitive), ., $ and digits.
    Time field of the table The time field to use for checkpoint creation. The default is sys_updated_on.
    Use existing data input? This field only displays if the add-on finds an existing checkpoint for the given input name. If "Yes" is selected, the add-on collects from that checkpoint. If "No" is selected, the add-on resets data collection and starts from either the provided start date or the default start date.
    Start date The date that the Splunk software starts collecting data from the database table. Default is one week ago. Start date value must be in UTC "YYYY-MM-DD hh:mm:ss" format.
    ID field Field which uniquely identifies each row in this table. Default is 'sys_id'.
    Filter parameters Enter filters, in key-value pairs for indexing selected data from the table. All the operators mentioned in the ServiceNow documentation are allowed. For example, name=Application1^company=MyCompany name=Application1^companySTARTSWITHMyCompany^ORcompany=SomeOtherCompany

    short_descriptionLIKESAP^ORcaller_idENDSWITHliffe. By default, there is no filter.

    The Logical OR operation ("^OR") will be sequentially performed before the Logical AND operation ("^"). If you are upgrading from add-on version 7.1.1 or earlier, then the old way of mentioning Logical AND ("&") and the Logical OR ("|") in the filter parameter will automatically be migrated as per the ServiceNow syntax.

    Index The index that stores the events collected from this input. The default index is main. Index names must begin with a letter or a number and can only contain letters, numbers, underscores, or hyphens. The maximum length allowed is 80 characters.
  4. Click Save.

Table Name and Time Field Mapping

To set up the Splunk Add-on for ServiceNow, you must set the time field for each table name. The add-on creates a checkpoint based on time field every time the REST API is called to collect data. This ensures that data collection resumes from the timestamp last recorded. You can set the Time field of the table parameter on the Inputs page, or modify the timefield parameter of specific stanzas in your local inputs.conf file. See the following table for some of the common table and time field correspondences:

Table Name Time Field
incident sys_updated_on
problem sys_updated_on
em_event time_of_event
sys_user_group sys_updated_on
sys_user sys_updated_on
change_task sys_updated_on
change_request sys_updated_on
cmn_location sys_updated_on
cmdb sys_updated_on
cmdb_ci sys_updated_on
cmdb_ci_server sys_updated_on
cmdb_ci_vm sys_updated_on
cmdb_ci_infra_service sys_updated_on
cmdb_ci_db_instance sys_updated_on
cmdb_ci_app_server sys_updated_on
cmdb_ci_service sys_updated_on
cmdb_rel_ci sys_updated_on
sys_choice sys_updated_on
sysevent sys_created_on
syslog sys_created_on
syslog_transaction sys_created_on
sys_audit sys_created_on
sys_audit_delete sys_updated_on
Last modified on 30 April, 2024
Set up the Splunk Add-on for ServiceNow   Enable saved searches for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters