Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Configure inputs for the Splunk Add-on for ServiceNow

After you set up the Splunk Add-on for ServiceNow, configure your inputs to collect data. Configure inputs on your data collection node, usually a heavy forwarder.

  1. In the Splunk Add-on for ServiceNow, click the Inputs tab.
  2. Click Create New Input.
  3. In the Add Inputs box, complete the following fields:
    Field Description
    Input Name Enter a unique name for the input.
    Account Enter your ServiceNow account name.
    Collection interval The data collection interval, in seconds.
    Table to collect data from Select a ServiceNow table from the list or enter a new custom table in the search box.
    Excluded properties Enter comma-separated fields from the database table to exclude.
    Time field of the table The time field to use for checkpoint creation. The default is sys_updated_on.
    Use existing data input? This field only displays if the add-on finds an existing checkpoint for the given input name. If "Yes" is selected, the add-on collects from that checkpoint. If "No" is selected, the add-on resets data collection and starts from either the provided start date or the default start date.
    Start date The date that the Splunk software starts collecting data from the database table, in UTC "YYYY-MM-DD hh:mm:ss" format. Default is one year ago.
    ID field Field which uniquely identifies each row in this table. Default is 'sys_id'.
    Filter parameters Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter.
    Index The index that stores the events collected from this input. The default index is main.
  4. Click Save.

Table Name and Time Field Mapping

To set up the Splunk Add-on for ServiceNow, you must set the time field for each table name. The add-on creates a checkpoint based on time field every time the REST API is called to collect data. This ensures that data collection resumes from the timestamp last recorded. You can set the Time field of the table parameter on the Inputs page, or modify the timefield parameter of specific stanzas in your local inputs.conf file. See the following table for table and time field correspondences:

Table Name Time Field
incident sys_updated_on
problem sys_updated_on
em_event time_of_event
sys_user_group sys_updated_on
sys_user sys_updated_on
change_task sys_updated_on
change_request sys_updated_on
cmn_location sys_updated_on
cmdb sys_updated_on
cmdb_ci sys_updated_on
cmdb_ci_server sys_updated_on
cmdb_ci_vm sys_updated_on
cmdb_ci_infra_service sys_updated_on
cmdb_ci_db_instance sys_updated_on
cmdb_ci_app_server sys_updated_on
cmdb_ci_service sys_updated_on
cmdb_rel_ci sys_updated_on
sys_choice sys_updated_on
sysevent sys_created_on
syslog sys_created_on
syslog_transaction sys_created_on
sys_audit sys_created_on
sys_audit_delete sys_updated_on
PREVIOUS
Set up the Splunk Add-on for ServiceNow
  NEXT
Enable saved searches for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters