Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for ServiceNow

The latest version of the Splunk Add-on for ServiceNow is version 4.0.0. See Release notes for the Splunk Add-on for ServiceNow for release notes of this latest version.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection Platform Independent
Vendor products ServiceNow Helsinki, Istanbul, Jakarta, and Kingston

Upgrade instructions

This upgrade procedure is required for all users upgrading from any version prior to version 3.0.0 of the Splunk Add-on for ServiceNow, and who have not previously set the display_value field in service_now.conf to all. If you are collecting data with display_value=all, there is no need to upgrade.

The value of display_value is changed to all by default in Splunk Add-on for ServiceNow 3.0.0. But if you want to collect the display values using lookups and not directly from the API then the upgrade steps defined in Upgrade the Splunk Add-on for ServiceNow should be followed.

New features

Version 3.1.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for ServiceNow Kingston
  • Added the Configuration Management Database (CMDB) input as a default data input

Fixed issues

Version 3.1.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date resolved Issue number Description
2018-02-21 ADDON-16566 TA for ServiceNow not compatible with Jakarta

Known issues

Version 3.1.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date filed Issue number Description
2019-05-03 ADDON-21922 incidents being updated and overwritten several times
2018-11-05 ADDON-20601 Modular Inputs does not respect _meta
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for ServiceNow incorporates the following third-party library:
Httplib2 Python library.

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.X or later
CIM 4.0 or later
Supported OS for data collection Platform Independent
Vendor products ServiceNow Geneva, Helsinki, Istanbul and Jakarta

New features

Version 3.0.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for ServiceNow Jakarta
  • The identify field is now configurable.
  • The Splunk Add-on for ServiceNow is now able to receive data from individual Assignment Groups using the ServiceNow REST API.
  • The ServiceNow CMDB CI Server savedsearch, which loads configuration management database (CMDB) information as a snapshot, to show which configuration items (CIs) were deleted. Deleted CIs can be viewed under the ServiceNow Sys Delete List, indexed under *"sourcetype="snow:sys_audit_delete
  • The Splunk Add-on for ServiceNow no longer needs lookups to perform field extractions.

Fixed issues

Version 3.0.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date resolved Issue number Description
2017-10-31 ADDON-15787 Customer is getting an Error when attempting to save info on the setup page.

Known issues

Version 3.0.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date filed Issue number Description
2018-01-10 ADDON-16566 TA for ServiceNow not compatible with Jakarta
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.9.1

Version 2.9.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4.X or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Helsinki, Geneva, Fuji, Istanbul

New features

Version 2.9.1 of the Splunk Add-on for ServiceNow does not include any new features.

Fixed issues

Version 2.9.1 of the Splunk Add-on for ServiceNow fixes the following issues.

Date resolved Issue number Description
2017-01-23 ADDON-13414 When using modular alerts in Add-on to create a Service Now incident the "configuration_item" field is left blank even if a valid string is present.
2016-03-30 ADDON-8444 Modular input XML scheme is invalid

Known issues

Version 2.9.1 of the Splunk Add-on for ServiceNow has the following known issues.

Date filed Issue number Description
2017-09-12 ADDON-15787 Customer is getting an Error when attempting to save info on the setup page.
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 2.9.1 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.


Version 2.9.0

Version 2.9.0 of the Splunk Add-on for ServiceNow was released on June 27, 2016 and is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3.X or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Helsinki, Geneva, Fuji, Istanbul

Upgrade guide

The upgrade notes below are intended for customers upgrading from either version 2.7.0 or 2.8.0 to version 2.9.0. If you are upgrading from a version earlier than 2.7.0, refer also to the upgrade guide for version 2.7.0 in the Release history for the Splunk Add-on for ServiceNow for additional upgrade steps.

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

This version of the add-on deprecates the input for the syslog table in ServiceNow. The input is still included for backwards compatibility, but Splunk recommends that you disable this input and instead enable the newly added sysevent input which is more performant. See Source types for the Splunk Add-on for ServiceNow.

New features

Version 2.9.0 of the Splunk Add-on for ServiceNow includes the following new features.

Date Ticket number Description
2016-06-01 ADDON-9369 Support for ServiceNow customers using Helsinki, Geneva or Fuji on a bare-metal deployment of ServiceNow.
2016-05-30 ADDON-8795 Support for a performance workaround to ingest display names from ServiceNow API rather than using saved searches.
2016-05-17 ADDON-5797 New modular input for sysevent table. Deprecation of syslog table.

Fixed issues

Version 2.9.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2016-06-08 ADDON-10123
Add-on does not support new ServiceNow API parameter "sysparm_limit" that replaces "sysparm_record_count", causing incident data input to fail
2016-05-16 ADDON-8301 Can't find service-now.conf if a proxy is configured in $SPLUNK_HOME/etc/splunk-launch.conf.
2016-02-26 ADDON-7976
Indexing stops when one of the metadata fields contains special characters
2016-02-12 ADDON-7766
Add-on unable to retreive data due to unhandled 403 error

Known issues

Version 2.9.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-11-30 ADDON-6732
Setup page error messages are unclear and do not identify the issue
2015-09-15 ADDON-5559
Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.
Workaround: Follow the upgrade guide delete the old inputs before upgrading.
2015-09-08 ADDON-5387
Cannot delete a field value when editing a custom alert action in Splunk version 6.3.0.
Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-06 ADDON-5349
Custom alert actions do not offer any validation for alert action fields.
2015-08-19 ADDON-5015
Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results
2015-03-18 ADDON-3401
Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters
2015-03-03 ADDON-3254
ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts.
Workaround: Use the impact and urgency parameters instead of the priority value.
2014-12-24 SPL-91709 When using Splunk platform version 6.3 or earlier on Windows, splunkd times out on setup. Workaround: Upgrade to Splunk platform version 6.4 or refresh the page and try again.

Third-party software attributions

Version 2.9.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.8.0

Version 2.8.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.1 or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Geneva, Fuji, Eureka

New features

Version 2.8.0 of the Splunk Add-on for ServiceNow includes the following new features.

Date Ticket number Description
2015-12- ADDON-5984 Support for ServiceNow version Geneva.
2015-12- ADDON-6109 Populate incident state lookup automatically using a saved search.

Fixed issues

Version 2.8.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2015-12-01 ADDON-6733 Need to add start_by_shell=false to the [snow] stanza of inputs.conf to avoid problems with orphaned modular input processes on Ubuntu.
2015-11-29 ADDON-6101 Change incident state lookup should rely on state field rather than on incident_state field.
2015-10-20 ADDON-5982 Data returned by the ServiceNow mod input is in the form of JSON object instead of key-value pair causing lookup to fail.
2015-10-19 ADDON-5985 TA-utils calculates add-on name using the installation path, causing connection issues for customers who install the add-on in an unexpected directory.

Known issues

Version 2.8.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2016-06-08 ADDON-10123
Add-on does not support new ServiceNow API parameter "sysparm_limit" that replaces "sysparm_record_count", causing incident data input to fail
2016-03-15 ADDON-8301 Cannot load add-on's setup screen if a proxy is configured in $SPLUNK_HOME/etc/splunk-launch.conf.
2016-02-26 ADDON-7976
Indexing stops when one of the metadata fields contains special characters
2016-02-12 ADDON-7766
Add-on unable to retreive data due to unhandled 403 error
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-10-30 ADDON-6732 Poor error message when user enters incorrect username or password in the setup UI.
2015-10-29 SPL-104398 For users running the Splunk platform on Ubuntu on versions prior to 6.3.0, the start_by_shell=false setting will not take effect and the Splunk platform will display a warning message on startup. Workaround: update your Splunk software to version 6.3.0 or later.
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later. Workaround: Follow the upgrade guide delete the old inputs before upgrading.
2015-09-07 SPL-106370 / ADDON-5387 Cannot delete a field value when editing a custom alert action in Splunk version 6.3.0. Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-07 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.
2015-03-20 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
2015-03-12 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
2014-11-18 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.
2014-12-24 SPL-91709 When using Splunk platform version 6.3 or earlier on Windows, splunkd times out on setup. Workaround: Upgrade to Splunk platform version 6.4 or refresh the page and try again.

Third-party software attributions

Version 2.8.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.7.0

Version 2.7.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.1 or later
CIM 4.0 or later
Platforms Linux
Vendor Products ServiceNow Fuji, Eureka

Upgrade guide

Version 2.7.0 of this add-on removes support for ServiceNow versions Dublin and Calgary. The add-on retains backwards compatibility for these versions, so no migration activity is required as a result of this change.

The 2.7.0 version of the add-on uses a different API to connect to ServiceNow. The new API uses a different variation of the database table name for five tables in ServiceNow. If you had enabled these tables in the past, disable and delete these old inputs before upgrading the add-on to avoid confusion. Your old data remains valid and searchable, but all new data is indexed using the new naming.

1. Disable the following five inputs in your existing add-on:

  • cmdb_ci_list
  • cmn_location_list
  • sys_choice_list
  • sys_user_group_list
  • sys_user_list

2. Upgrade your add-on to version 2.7.0.

3. Open each of the new inputs and adjust the data collection start time to today to avoid collecting all historical data again.

  • cmdb_ci
  • cmn_location
  • sys_choice
  • sys_user_group
  • sys_user

4. Enable the new inputs.

5. Delete the five inputs ending with _list to avoid any future confusion.

ServiceNow version upgrade guide

If you were previously using the Splunk Add-on for ServiceNow with version Eureka, Dublin, or Calgary and you are now upgrading your ServiceNow instance to version Fuji, note the following behavior changes affecting incident and event creation and incident update:

1. Due to changes in ServiceNow version Fuji, snowincidentstream or snow_incident.py always creates a new incident rather than updating an existing incident, unless you supply the correlation_id for the existing incident that you wish to update.

2. Also, in ServiceNow versions Eureka, Dublin, or Calgary, for incident creation or update, if the combination of category, short_description, and contact_type, subcategory, and ci_identifier are not unique to a single incident, ServiceNow attempts to treat all affected tickets as the same ticket, causing conflicts. Similarly, for event creation, if the combination of node, resource, type, and severity are not unique to a single event, ServiceNow attempts to treat all affected events as the same event, causing conflicts. In ServiceNow version Fuji, ServiceNow no longer treats similar incidents or events as the same ticket unless the user provides an identical correlation_id.

New features

Version 2.7.0 of the Splunk Add-on for ServiceNow includes the following new feature.

Date Issue number Description
2015-09-10 ADDON-5035 On Splunk platform version 6.3.0, users can now perform push integration with ServiceNow using custom alert actions. In order to support this new feature, the argument opened_by is deprecated for incidents. It is now automatically set to the ServiceNow username of the account used for the Splunk integration with ServiceNow.

Fixed issues

Version 2.7.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2015-09-10 ADDON-2384
/SPL-40332
On Windows, lookup tables are not populated. Note: Fixed for Splunk platform 6.3.0 and later only.
2015-07-07 ADDON-4465 Unable to run snowincident searches on a search head cluster. Note: Fixed for Splunk platform 6.3.0 and later only.

Known issues

Version 2.7.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2015-11-30 ADDON-6733 When using dash shell (the default shell in Ubuntu), the Splunk platform does not terminate modular input processes properly. Workaround: If running the Splunk platform on Ubuntu, add start_by_shell=false to the [snow] stanza of inputs.conf.
2015-10-29 SPL-104398 For users running the Splunk platform on Ubuntu, the start_by_shell=false setting will not take effect and the Splunk platform will display a warning message on startup. Workaround: update your Splunk software to version 6.3.0 or later.
2015-10-19 ADDON-6101 Change incident state lookup should rely on state field rather than on incident_state field.
2015-10-08 ADDON-5982 Data returned by the ServiceNow mod input is in the form of JSON object instead of key-value pair causing lookup to fail..
2015-10-08 ADDON-5985 TA-utils calculates add-on name using the installation path, causing connection issues for customers who install the add-on in an unexpected directory.
2015-09-15 ADDON-5559 Source type renames cause duplicate inputs to appear. Workaround: Follow the migration guide to delete the old inputs before upgrading to the new version of the add-on.
2015-09-07 SPL-106370 / ADDON-5387 Cannot delete a field value when editing a custom alert action. Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-07 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.
2015-08-18 ADDON-4935 Due to bug in ServiceNow version Dublin, incidents created from Splunk platform have an empty incident number.
2015-03-20 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
2015-03-12 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
2014-12-24 SPL-91709 On Windows, splunkd times out on setup.
2014-12-08 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
2014-11-18 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.7.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.6.1

Version 2.6.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.2, 6.1
CIM 4.2, 4.1, 4.0
Platforms Linux
Vendor Products ServiceNow Fuji, Eureka, Dublin, and Calgary

Fixed issues

Version 2.6.1 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
08/04/15 ADDON-4004 Add-on fails with KeyError: 'elements' when connecting through a proxy set up in splunk-launch.conf.
08/04/15 ADDON-4449 Event navigation from ServiceNow to Splunk platform does not work in Eureka.
08/04/15 ADDON-4478 Get "Exception: Invalid proxy type=None" even with proxy setting disabled.
08/04/15 ADDON-4458 None type error thrown when URL has not been configured.
07/05/15 ADDON-4295 Overriding the autoselection of ServiceNow version does not work.

Known issues

Version 2.6.1 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
08/18/15 ADDON-4935 Due to bug in ServiceNow version Dublin, incidents created from Splunk platform have an empty incident number.
07/06/15 ADDON-4465 Unable to run snowincident searches on a search head cluster.
03/20/15 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
03/12/15 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
12/24/14 SPL-86716 On Windows, splunkd times out on setup.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
11/25/14 ADDON-2384
/SPL-40332
On Windows, lookup tables are not populated.
11/18/14 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.6.1 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.6.0

Version 2.6.0 of the Splunk Add-on for ServiceNow has the same compatibility specifications as version 2.6.1.

New features

Date Defect number Description
04/14/15 ADDON-3707 Ship syslog, syslog_transaction, and sys_audit endpoints for data collecting by default
03/22/15 ADDON-3026 Support for ServiceNow version Fuji.
03/19/15 ADDON-2925 Support deep dive URLs in incidents.
03/04/15 ADDON-3236 Setup screen can automatically detect ServiceNow version.
03/04/15 ADDON-3200 Populate CSVs via saved searches for ServiceNow choice fields.

Fixed issues

Version 2.6.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
04/13/15 ADDON-3678 The transpose command in the add-on conflicts with a command in the Search and Reporting app and causes problems with Splunk App for Enterprise Security.
04/10/15 ADDON-3576 Input fails on newlines in description field.
03/24/15 ADDON-2296 Workflow actions do not work in Splunk Enterprise 6.2.
03/12/15 ADDON-3302 Wildcards in sourcetype not working as expected.
03/12/15 ADDON-3254 Fail to set incident priority through search command "snowincident"
03/03/15 ADDON-3196 Commands.conf has default stanza globally impacting search commands.
02/10/15 ADDON-3022 Updates to non-mandatory parameters result in a new URL.

Known issues

Version 2.6.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
05/13/15 ADDON-4004 Add-on fails with KeyError: 'elements' when connecting through a proxy set up in splunk-launch.conf. Workaround: Do not use global proxy settings with add-ons. Instead, configure a proxy using the add-on's built-in proxy configuration support.
03/20/15 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
03/12/15 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
12/24/14 SPL-86716 On Windows, splunkd times out on setup.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
11/25/14 ADDON-2384
/SPL-40332
On Windows, lookup tables are not populated.
11/18/14 ADDON-2334 When running a search "sourcetype=snow:change_request", the timestamp (in field sys_updated_on) is later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.6.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.5.0

Version 2.5.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk Enterprise versions 6.2, 6.1
CIM 4.1, 4.0
Platforms Platform independent
Vendor Products ServiceNow Eureka, Dublin, and Calgary

New features

Version 2.5.0 of the Splunk Add-on for ServiceNow included the following new features.

Date Issue number Description
11/25/14 ADDON-683 The add-on is now Splunk supported.
11/25/14 ADDON-683 The add-on now ingests data to Ticket Management data model.
11/25/14 ADDON-683 The add-on gets data from ServiceNow CMDB API into Splunk Enterprise for data enrichment.
11/25/14 ADDON-683 Added the ability to create new incidents and events from Splunk Enterprise.
11/25/14 ADDON-683 Added the ability to manage incidents from Splunk Enterprise if they were created from Splunk Enterprise.
11/25/14 ADDON-1889 Added prebuilt panels.
11/25/14 ADDON-1878 Add-on now routes data to the main index by default.
11/14/14 ADDON-1857 Added support for ServiceNow versions Eureka and Dublin.

Fixed issues

Version 2.5.0 of the Splunk Add-on for ServiceNow fixed the following issues.

Date Defect number Description
12/18/14 ADDON-2317 Log level "FATAL" does not work.
12/18/14 ADDON-2335 Add-on fails to create event with custom search command when specifying time_of_event.
12/13/14 ADDON-2309 There is no column for "additional info" in ServiceNow in splunk_incident.

Known issues

Version 2.5.0 of the Splunk Add-on for ServiceNow had the following known issues.

Date Defect number Description
04/13/15 ADDON-3678 The transpose command in the add-on conflicts with a command in the Search and Reporting app and causes problems with Splunk App for Enterprise Security.
12/11/14 N/A The custom search commands and alert-triggered scripts included in this add-on are limited in their ability to create and update events in ServiceNow, per ServiceNow design. For incident creation or update, if the combination of category, short_description, and contact_type are not unique to a single incident, ServiceNow will attempt to treat all affected tickets as the same ticket, causing conflicts. Similarly, for event creation, if the combination of node, resource, type, and severity are not unique to a single event, ServiceNow will attempt to treat all affected events as the same event, causing conflicts.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page.
11/18/14 ADDON-2334 When running a search "sourcetype=snow:change_request", the timestamp (in field sys_updated_on) is later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.5.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

PREVIOUS
Release notes for the Splunk Add-on for ServiceNow
  NEXT
Hardware and software requirements for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters