Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for ServiceNow

After you set up the Splunk Add-on for ServiceNow, configure your inputs to collect data. Configure inputs on your data collection node, usually a heavy forwarder.

  1. In the Splunk Add-on for ServiceNow, click the Inputs tab.
  2. Click Create New Input.
  3. In the Add Inputs box, complete the following fields:
    Field Description
    Input Name Enter a unique name for the input.
    Account Enter your ServiceNow account name.
    Collection interval The data collection interval, in seconds.
    Table to collect data from Select a ServiceNow table from the list or enter a new custom table in the search box.
    Included properties Enter comma-separated fields from the database table to include. You can either include or exclude properties for an input but not both.
    Excluded properties Enter comma-separated fields from the database table to exclude.
    Time field of the table The time field to use for checkpoint creation. The default is sys_updated_on.
    Use existing data input? This field only displays if the add-on finds an existing checkpoint for the given input name. If "Yes" is selected, the add-on collects from that checkpoint. If "No" is selected, the add-on resets data collection and starts from either the provided start date or the default start date.
    Start date The date that the Splunk software starts collecting data from the database table, in UTC "YYYY-MM-DD hh:mm:ss" format. Default is one year ago.
    ID field Field which uniquely identifies each row in this table. Default is 'sys_id'.
    Filter parameters Enter filters, in key-value pairs for indexing selected data from the table. Only two operators, the Logical AND ("&") and the Logical OR ("|") are allowed. For example, name=Application1&company=MyCompany name=Application1&company=MyCompany|company=SomeOtherCompany. By default, there is no filter.

    The Logical OR operation ("|") will be sequentially performed before the Logical AND operation ("&").

    Index The index that stores the events collected from this input. The default index is main.
  4. Click Save.

Table Name and Time Field Mapping

To set up the Splunk Add-on for ServiceNow, you must set the time field for each table name. The add-on creates a checkpoint based on time field every time the REST API is called to collect data. This ensures that data collection resumes from the timestamp last recorded. You can set the Time field of the table parameter on the Inputs page, or modify the timefield parameter of specific stanzas in your local inputs.conf file. See the following table for table and time field correspondences:

Table Name Time Field
incident sys_updated_on
problem sys_updated_on
em_event time_of_event
sys_user_group sys_updated_on
sys_user sys_updated_on
change_task sys_updated_on
change_request sys_updated_on
cmn_location sys_updated_on
cmdb sys_updated_on
cmdb_ci sys_updated_on
cmdb_ci_server sys_updated_on
cmdb_ci_vm sys_updated_on
cmdb_ci_infra_service sys_updated_on
cmdb_ci_db_instance sys_updated_on
cmdb_ci_app_server sys_updated_on
cmdb_ci_service sys_updated_on
cmdb_rel_ci sys_updated_on
sys_choice sys_updated_on
sysevent sys_created_on
syslog sys_created_on
syslog_transaction sys_created_on
sys_audit sys_created_on
sys_audit_delete sys_updated_on
Last modified on 11 March, 2021
Set up the Splunk Add-on for ServiceNow
Enable saved searches for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters