Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Enable saved searches for the Splunk Add-on for ServiceNow

The Splunk Add-on for ServiceNow includes preconfigured lookup generation saved searches.

If you are deploying the add-on in a single instance environment, enable all of the saved searches to populate lists of users, servers, locations, and services for use in your Splunk platform deployment.

If you are deploying the add-on in a search head cluster environment, enabling these saved searches produces a large volume of data that affects your system's performance, as well as bundle replication.

Versions 3.0.0 and above of the Splunk Add-on for ServiceNow, by default, collects all display values directly from the API at the input phase. To revert to the previous behavior of collecting the display values using lookups and not directly from the API, see the Edit the display values for the ServiceNow API section of Upgrade the Splunk Add-on for ServiceNow.

Lookup generation saved searches

Review and enable the saved searches in Splunk Web or in the configuration files on your search heads.

Search name Description
ServiceNow Sys User List Saved search that populates the sys user of ServiceNow via the Sys User List lookup file.
ServiceNow Sys User Group List Saved search that populates the sys user group of ServiceNow via the Sys User Group List lookup file.
ServiceNow CNM Location List Saved search that populates the CMN location of ServiceNow via the CMN Location List lookup file.
ServiceNow CMDB CI List Saved search that populates the CMDB CI of ServiceNow via the CMDB CI List lookup file.
ServiceNow CMDB CI Server Saved search that populates the CMDB CI Servers from ServiceNowvia the CMDB CI Servers lookup file.
ServiceNow CMDB CI VM Saved search that populates the CMDB CI VMs from ServiceNow via the CMDB CI VM lookup file.
ServiceNow CMDB CI Infra Services Saved search that populates the CMDB CI Infra Services from ServiceNow via the CMDB CI Infra Service lookup file.
ServiceNow CMDB CI Database Instances Saved search that populates the CMDB CI Database Instances from ServiceNow via the CMDB CI DB Instance lookup file.
ServiceNow CMDB CI App Servers Saved search that populates the CMDB CI App Servers from ServiceNow via the CMDB CI App Server lookup file.
ServiceNow CMDB CI Relation Saved search that populates the CMDB CI Relations from ServiceNow via the CMDB Rel CI lookup file.
ServiceNow CMDB CI Services Saved search that populates the CMDB CI Services from ServiceNow via the CMDB CI Service lookup file.
ServiceNow Incident State Saved search that populates the incident states from ServiceNow via the Incident State lookup file.
ServiceNow Sys Choice List Saved search that populates the sys choice list from ServiceNow via the Sys Choice List lookup file.

Access and enable saved searches in Splunk Web

Access and enable the saved searches in Splunk Web.

  1. On your search head, navigate to Settings > Searches, reports, and alerts.
  2. Set the app context to Splunk Add-on for ServiceNow.
  3. Click Enable next to the searches you want to enable.
  4. Save your changes.

Access and enable saved searches in savedsearches.conf

Access and enable the saved searches in the configuration files.

  1. On your search head, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/, and create a savedsearches.conf file if it does not already exist.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/savedsearches.conf.
  3. Identify the searches that you want to enable, and copy them to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf.
  4. In $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/savedsearches.conf, change Disabled = 1 to Disabled = 0 for each search that you want to enable.
  5. Save your changes.
PREVIOUS
Configure inputs for the Splunk Add-on for ServiceNow
  NEXT
Edit the display values for the ServiceNow API

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Hi Billebel--
Thanks for your comment. I appreciate where you're coming from with the lookups. I have passed on your suggestion to our development team to address in future releases. Many thanks-- Janet

Jrevell splunk, Splunker
October 19, 2017

Regarding the bundle replication issue. Why don't the developers of strip out some of the garbage from the lookups. I just modified the search criteria for the lookups to remove host*, orig*, etc and it also solves the problem. IMO these lookups are a perfect example of doing things wrong in Splunk

Billebel
September 15, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters