Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Release history for the Splunk Add-on for ServiceNow

The latest release of the Splunk Add-on for ServiceNow is version 7.9.0. See the release notes topic for more information.

Version 7.8.1

Version 7.8.1 of the Splunk Add-on for ServiceNow was released on September 6, 2024.

Compatibility

Version 7.8.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 9.0.x, 9.1.x, 9.2.x
CIM 5.1.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, and Washington DC

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.8.1 of the Splunk Add-on for ServiceNow includes the following new features:

  • Fixed the security vulnerabilities found in the certifi and urllib3 libraries by upgrading their version from 2024.2.2 to 2024.7.4, 1.26.18 to 1.26.19.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.8.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:

Known issues

Version 7.8.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.8.0

Version 7.8.0 of the Splunk Add-on for ServiceNow was released on April 30, 2024.

Compatibility

Version 7.8.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 9.0.x, 9.1.x, 9.2.x
CIM 5.1.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, and Washington DC

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.8.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow Washington DC.
  • Added support for ipv6 addresses.
  • Added a unique invocation ID for every invocation in the logs for alert action and custom commands.
  • Enhanced data collection mechanism to ingest a record without a time field.
  • Improved data collection mechanism by using sys_id instead of offset for record updates during ongoing data collection. Please note that intermediate updates of a record can still be missed if there are multiple updates on a record between the input intervals. The latest state of the record will be fetched in the next invocation of the input according to its interval.


Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.8.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:

Known issues

Version 7.8.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.7.0

Version 7.7.0 of the Splunk Add-on for ServiceNow was released on December 8, 2023.

Compatibility

Version 7.7.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x, 9.1.x
CIM 5.1.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, Tokyo, Utah, and Vancouver

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


New features

Version 7.7.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow Vancouver.


Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.7.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.7.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-07-18 ADDON-63502 Service Now TA Integration not returning Incident value to ITSI : returning SPL instead of INC prefix when passing Default endpoint arguments

Workaround:
Remove the default value (/api/now/table/x_splu2_splunk_ser_u_splunk_incident) from the scripted_endpoint textbox.
2022-09-13 ADDON-55704 Data miss due to active updation of records during data collection
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page


Version 7.6.0

Version 7.6.0 of the Splunk Add-on for ServiceNow was released on March 31, 2023.

Compatibility

Version 7.6.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.1.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, Tokyo, and Utah

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


New features

Version 7.6.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow Utah.
  • Enhanced the Incident Alert Action to time bound the rest API search that populate values in the account dropdown.


Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.6.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.6.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-07-18 ADDON-63502 Service Now TA Integration not returning Incident value to ITSI : returning SPL instead of INC prefix when passing Default endpoint arguments

Workaround:
Remove the default value (/api/now/table/x_splu2_splunk_ser_u_splunk_incident) from the scripted_endpoint textbox.
2022-09-13 ADDON-55704 Data miss due to active updation of records during data collection
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.5.0

Version 7.5.0 of the Splunk Add-on for ServiceNow was released on December 14, 2022.

Compatibility

Version 7.5.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, 9.0.x
CIM 5.0.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, and Tokyo

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.5.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Improved memory and CPU usage by using multi-instance mode for data collection.
  • Migrated from a file-based checkpointing mechanism to using KV-store instead for better reliability and performance during data ingestion.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.5.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.5.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-09-13 ADDON-55704 Data miss due to active updation of records during data collection
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.

Version 7.4.1

Version 7.4.1 of the Splunk Add-on for ServiceNow was released on September 20, 2022.

Compatibility

Version 7.4.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, 9.0.x
CIM 5.0.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, and Tokyo

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.4.1 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow Tokyo.
  • Altered the record count range on the account configuration page from {1000 to 10000} to {1 to 10000}. The default value remains at 3000, but this change allows lower record count values (between 1 and 1000) to be used under special circumstances. See troubleshooting section for more details.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.4.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.4.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-09-13 ADDON-55704 Data miss due to active updation of records during data collection
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.



Version 7.4.0

Version 7.4.0 of the Splunk Add-on for ServiceNow was released on July 7, 2022.

Compatibility

Version 7.4.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome and San Diego

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


New features

Version 7.4.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Supports either Table API or Import Set API for incident creation.
  • Support of CI identifier in Event integration alert action.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.4.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2022-03-31 ADDON-46758 TA for SNOW : A racing condition causes creating multiple SNOW Incident with same correlation ID.

Known issues

Version 7.4.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.3.0

Version 7.3.0 of the Splunk Add-on for ServiceNow was released on May 11, 2022.

Compatibility

Version 7.3.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome and San Diego

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.3.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow San Diego.
  • Updated the default value of the Source and Source instance column for the ServiceNow Event Integration.
    • Before the Source column used Splunk-<hostname_of_splunk_machine> as a value and the Source instance column used Splunk as a value.
    • Now the Source column uses Splunk-TA as a value and the Source instance column uses Splunk-<hostname_of_splunk_machine> as a value.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.3.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.3.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.2.1

Version 7.2.1 of the Splunk Add-on for ServiceNow was released on February 1, 2022.

Compatibility

Version 7.2.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, Paris Quebec, and Rome

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.2.1 of the Splunk Add-on for ServiceNow includes the following new features:

  • SSL certificate management solution.
  • Migrated CSV lookups to KVStore.
  • Support of all operators in filter parameters that ServiceNow supports.
  • Support of passing additional information apart from Splunk URL into the additional_info parameter for ServiceNow event integration and custom commands.
  • Migrated from httplib2 to requests library.
  • Removed the support for HTTP_NO_TUNNEL and SOCKS4 proxy.



Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.2.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2021-10-25 ADDON-40029 Special character validation issues on "Included properties" in ServiceNow TA

Known issues

Version 7.2.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-02-06 ADDON-47725 TA for SNOW : Alert Action - Event - GUI/webUI doesn't have ci_identifier field and additional_info is matching with a confusing name on the GUI

Workaround:
For issue 1,

To configure ci_identifier from configuration file directly but customer dont have access to that since they are on cloud. For issue 2, Tested locally and found out that the field, "Splunk URL" from WEB UI will match up with additional_info from savedsearch.conf.

2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.1.1

Version 7.1.1 of the Splunk Add-on for ServiceNow was released on November 30, 2021.

Compatibility

Version 7.1.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.18.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, Paris Quebec, and Rome

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.1.1 of the Splunk Add-on for ServiceNow includes the following new features:

  • Fixed an issue where the add-on was only able to display up to thirty records in the list.


Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Fixed issues

Version 7.1.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2021-07-12 ADDON-39059, ADDON-39178 Inputs more than 30 aren't shown in the UI

Known issues

Version 7.1.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-08-04 ADDON-40029 Special character validation issues on "Included properties" in ServiceNow TA
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.1.0

Version 7.1.0 of the Splunk Add-on for ServiceNow was released on July 12, 2021.

Compatibility

Version 7.1.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.18.1
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, Paris and Quebec


New features

Version 7.1.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Fast and intuitive UI with an improved look and feel.
  • Fixed critical security issue by removing jquery2.
  • Removed python2 support. Splunk only supports python3 for future releases.


Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Fixed issues

Version 7.1.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.1.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-08-04 ADDON-40029 Special character validation issues on "Included properties" in ServiceNow TA
2021-07-06 ADDON-39059, ADDON-39178 Inputs more than 30 aren't shown in the UI
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for ServiceNow third-party software credits.


Version 7.0.0

Version 7.0.0 of the Splunk Add-on for ServiceNow was released on May 4, 2021.

Compatibility

Version 7.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.3.x, 8.0.x, 8.1.x
CIM 4.19
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, Paris and Quebec

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.0.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for writing incidents to a custom scripted REST endpoint
  • Added support for ServiceNow Quebec
  • Added compatibility for CIM version 4.19
  • UI validation enhancements



Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Fixed issues

Version 7.0.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 7.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 7.0.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 6.4.1

Version 6.4.1 of the Splunk Add-on for ServiceNow was released on March 4, 2021.

Compatibility

Version 6.4.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, and Paris

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Version 6.4.1 of the Splunk Add-on for ServiceNow includes the following new features:

Fixed issues

Version 6.4.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2021-03-04 ADDON-34547 "Time field of the table" not respected when filter parameters are provided

Known issues

Version 6.4.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.4.1 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:



Version 6.4.0

Version 6.4.0 of the Splunk Add-on for ServiceNow was released on January 25, 2021.

Compatibility

Version 6.4.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, and Paris

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Version 6.4.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for multiple accounts in ServiceNow event Alert Action. This adds the ability to create events in multiple ServiceNow instances simultaneously.
  • Enhanced user experience through instant feedback when URLs or host names are entered incorrectly, and more precise error messages.
  • Graceful handling of invalid ServiceNow error message: Under heavy load on a ServiceNow table, it returns an invalid JSON which was causing intermittent failures with data collection. Upon receipt of the invalid JSON the Splunk Add-on for ServiceNow will log the error and make the API call again using the last stored checkpoint values.

Fixed issues

Version 6.4.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2021-01-04 ADDON-31850 Handle invalid JSON response from ServiceNow
2020-12-15 ADDON-31305, ADDON-31314, ADDON-31777 Json Error Response is getting displayed in the input UI validation error message when user provides incorrect value in the 'Filter Parameters' and other input fields instead of a simple error message

Known issues

Version 6.4.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

Workaround:
1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2021-03-03 ADDON-34547 "Time field of the table" not respected when filter parameters are provided
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.4.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:

Version 6.3.1

Version 6.3.1 of the Splunk Add-on for ServiceNow was released on January 12, 2021.

Compatibility

Version 6.3.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, and Paris

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Version 6.3.1 of the Splunk Add-on for ServiceNow includes the following new features:

  • Bug fixes
  • Enhanced compatibility with Splunk IT Service Intelligence

Fixed issues

Version 6.3.1 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:

Known issues

Version 6.3.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-03 ADDON-34547 "Time field of the table" not respected when filter parameters are provided
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.3.1 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 6.3.0

Version 6.3.0 of the Splunk Add-on for ServiceNow was released on December 19, 2020.

Compatibility

Version 6.3.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, and Paris

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

Version 6.3.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for the OR condition in the Filter Parameters setting for filtering ServiceNow Table data.
  • Support for a new user interface (UI) setting titled Included Properties. This setting lets the user choose and set fields to be fetched from tables for each input.
  • The Record Count setting is now configurable in the UI for accounts. This lets users set the maximum number of records to be fetched at each call to the database tables from the UI.
  • All the historical data for an input is now collected in the first interval. This helps users collect historical data faster.
  • Support for version 4.18 of the Common Information Model (CIM).
  • Added support for the severity_id CIM field in the Ticket Management data model.
  • Replaced the Ticket Management Change data model mapping with the Ticket Management data model mapping for the snow_change_task event type.

Fixed issues

Version 6.3.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2020-12-17 ADDON-30681 Splunk Add-on for ServiceNow is not ingesting updated records intermittently.
2020-10-09 ADDON-29185 The app is configured with a service account which has access to our ServiceNow environment (and is querying data into Splunk successfully), however, the Incident and Event Integration components are not recognizing the account that is configured.

Known issues

Version 6.3.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-03 ADDON-34547 "Time field of the table" not respected when filter parameters are provided
2020-12-15 ADDON-31850 Handle invalid JSON response from ServiceNow
2020-11-27 ADDON-31305, ADDON-31314, ADDON-31777 Json Error Response is getting displayed in the input UI validation error message when user provides incorrect value in the 'Filter Parameters' and other input fields instead of a simple error message
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.3.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 6.2.0

Version 6.2.0 of the Splunk Add-on for ServiceNow was released on September 30, 2020.

Compatibility

Version 6.2.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, Orlando, and Paris

New features

Version 6.2.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Changed default time of from last 1 year to fetch events from last 7 days.

Fixed issues

Version 6.2.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2020-09-10 ADDON-25913 Input doesn't function if number of events with same sys_updated_on exceeds sysparm_limit


Known issues

Version 6.2.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-12-15 ADDON-31850 Handle invalid JSON response from ServiceNow
2020-11-27 ADDON-31305, ADDON-31314, ADDON-31777 Json Error Response is getting displayed in the input UI validation error message when user provides incorrect value in the 'Filter Parameters' and other input fields instead of a simple error message
2020-11-03 ADDON-30681 Splunk Add-on for ServiceNow is not ingesting updated records intermittently.
2020-09-08 ADDON-29185 The app is configured with a service account which has access to our ServiceNow environment (and is querying data into Splunk successfully), however, the Incident and Event Integration components are not recognizing the account that is configured.
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.2.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 6.1.0

Version 6.1.0 of the Splunk Add-on for ServiceNow was released on July 29, 2020.

Compatibility

Version 6.1.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, and Orlando

New features

Version 6.1.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for default URL creation for the following custom commands: : snowevent and snowincident.
  • Changed default running time of saved searches from all time to last 30 days.
  • Support for ingestion of custom fields from ServiceNow events.
  • Enhanced python library structure.

Fixed issues

Version 6.1.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:



Known issues

Version 6.1.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-09-08 ADDON-29185 The app is configured with a service account which has access to our ServiceNow environment (and is querying data into Splunk successfully), however, the Incident and Event Integration components are not recognizing the account that is configured.
2020-04-02 ADDON-25913 Input doesn't function if number of events with same sys_updated_on exceeds sysparm_limit
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.1.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for ServiceNow was released on May 8, 2020.

Compatibility

Version 6.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM 4.15
Supported OS for data collection Platform Independent
Vendor products ServiceNow London, Madrid, New York, and Orlando

New features

Version 6.0.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • OAuth 2.0 Authentication support
  • Ability to configure accounts on Splunk Cloud instances.
  • Ability for API to fetch incident info using incident ID.
  • Support for updating of custom fields that are not included with add-on.
  • Alignment of Splunk Drilldown in ServiceNow tickets with the same Drilldown Search in ITSI.


Fixed issues

Version 6.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2020-04-16 ADDON-25931 Error sending events to SNOW
2020-01-07 ADDON-24296 SNOW Account details replicated across a Search Head Cluster
2019-12-16 ADDON-21922 incidents being updated and overwritten several times


Known issues

Version 6.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-09-08 ADDON-29185 The app is configured with a service account which has access to our ServiceNow environment (and is querying data into Splunk successfully), however, the Incident and Event Integration components are not recognizing the account that is configured.
2020-05-26 ADDON-26828 Addons unable to load UI or collect data on Splunk 8.0.4, 8.0.2004 and Splunk 8.0.5

Workaround:
As a manual workaround, the "import html" statement on Line 16 of splunk/lib/python3.7/site-packages/splunk/util.py file could be commented out, which does not require Splunk restart to take affect.
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 6.0.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:

Version 5.0.1

Version 5.0.1 of the Splunk Add-on for ServiceNow was released on February 10, 2020.

Compatibility

Version 5.0.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM 4.12
Supported OS for data collection Platform Independent
Vendor products ServiceNow Kingston, London, Madrid, and New York

New features

Version 5.0.1 of the Splunk Add-on for ServiceNow includes the following new feature:

  • New custom command "snowincidentalert" returns the SNOW Incident URL and ticket ID when a ticket is created.

Fixed issues

Version 5.0.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 5.0.1 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-04-06 ADDON-25931 Error sending events to SNOW
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 5.0.1 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 5.0.0

Version 5.0.0 of the Splunk Add-on for ServiceNow was released on October 21, 2019.

Compatibility

Version 5.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM 4.12
Supported OS for data collection Platform Independent
Vendor products ServiceNow Kingston, London, Madrid, and New York

New features

Version 5.0.0 of the Splunk Add-on for ServiceNow includes the following new feature:

  • Support for Python 3.

Fixed issues

Version 5.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Known issues

Version 5.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-04-02 ADDON-25913 Input doesn't function if number of events with same sys_updated_on exceeds sysparm_limit
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2019-11-08 ADDON-24296 SNOW Account details replicated across a Search Head Cluster
2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Version 5.0.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:


Version 4.0.0

Version 4.0.0 of the Splunk Add-on for ServiceNow was released on June 19, 2019.

Compatibility

Version 4.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.12
Supported OS for data collection Platform Independent
Vendor products ServiceNow Kingston, London and Madrid

New features

Version 4.0.0 of the Splunk Add-on for ServiceNow includes the following new feature:

  • Support for multiple ServiceNow accounts
  • Support for ServiceNow London and Madrid

Fixed issues

Version 4.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date resolved Issue number Description
2019-02-17 ADDON-20601 Modular Inputs does not respect _meta

Known issues

Version 4.0.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2019-09-11 ADDON-23283 Enhance SavedSearches to specify time window
2019-08-14 ADDON-22942 ServiceNow Event Integration 'Select Account'
2018-12-31 ADDON-20777 Windows - 'Interrupted function call' Error logs in splunk_ta_snow_main.log when config file changes; Does not affect data collection
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for ServiceNow incorporates the following third-party software libraries:

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection Platform Independent
Vendor products ServiceNow Helsinki, Istanbul, Jakarta, and Kingston

Upgrade instructions

This upgrade procedure is required for all users upgrading from any version prior to version 3.0.0 of the Splunk Add-on for ServiceNow, and who have not previously set the display_value field in service_now.conf to all. If you are collecting data with display_value=all, there is no need to upgrade.

The value of display_value is changed to all by default in Splunk Add-on for ServiceNow 3.0.0. But if you want to collect the display values using lookups and not directly from the API then the upgrade steps defined in Upgrade the Splunk Add-on for ServiceNow should be followed.

New features

Version 3.1.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for ServiceNow Kingston
  • Added the Configuration Management Database (CMDB) input as a default data input

Fixed issues

Version 3.1.0 of the Splunk Add-on for ServiceNow fixes the following issues.


Date resolved Issue number Description
2018-02-21 ADDON-16566 TA for ServiceNow not compatible with Jakarta

Known issues

Version 3.1.0 of the Splunk Add-on for ServiceNow has the following known issues.


Date filed Issue number Description
2022-01-13 ADDON-46758 TA for SNOW : A racing condition causes creating multiple SNOW Incident with same correlation ID.
2019-05-03 ADDON-21922 incidents being updated and overwritten several times
2018-11-05 ADDON-20601 Modular Inputs does not respect _meta
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for ServiceNow incorporates the following third-party library:
Httplib2 Python library.

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.X or later
CIM 4.0 or later
Supported OS for data collection Platform Independent
Vendor products ServiceNow Geneva, Helsinki, Istanbul and Jakarta

New features

Version 3.0.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Support for ServiceNow Jakarta
  • The identify field is now configurable.
  • The Splunk Add-on for ServiceNow is now able to receive data from individual Assignment Groups using the ServiceNow REST API.
  • The ServiceNow CMDB CI Server savedsearch, which loads configuration management database (CMDB) information as a snapshot, to show which configuration items (CIs) were deleted. Deleted CIs can be viewed under the ServiceNow Sys Delete List, indexed under *"sourcetype="snow:sys_audit_delete
  • The Splunk Add-on for ServiceNow no longer needs lookups to perform field extractions.

Fixed issues

Version 3.0.0 of the Splunk Add-on for ServiceNow fixes the following issues.


Date resolved Issue number Description
2017-10-31 ADDON-15787 Customer is getting an Error when attempting to save info on the setup page.

Known issues

Version 3.0.0 of the Splunk Add-on for ServiceNow has the following known issues.


Date filed Issue number Description
2018-01-10 ADDON-16566 TA for ServiceNow not compatible with Jakarta
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.9.1

Version 2.9.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4.X or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Helsinki, Geneva, Fuji, Istanbul

New features

Version 2.9.1 of the Splunk Add-on for ServiceNow does not include any new features.

Fixed issues

Version 2.9.1 of the Splunk Add-on for ServiceNow fixes the following issues.


Date resolved Issue number Description
2017-01-23 ADDON-13414 When using modular alerts in Add-on to create a Service Now incident the "configuration_item" field is left blank even if a valid string is present.
2016-03-30 ADDON-8444 Modular input XML scheme is invalid

Known issues

Version 2.9.1 of the Splunk Add-on for ServiceNow has the following known issues.


Date filed Issue number Description
2017-09-12 ADDON-15787 Customer is getting an Error when attempting to save info on the setup page.
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.

Workaround:
Disable the _snow:syslog_ sourcetype and delete the old inputs for the _syslog_ table in ServiceNow before upgrading. Use the newly added _snow:sysevent_ sourcetype instead.
2015-09-06 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.

Third-party software attributions

Version 2.9.1 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.


Version 2.9.0

Version 2.9.0 of the Splunk Add-on for ServiceNow was released on June 27, 2016 and is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3.X or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Helsinki, Geneva, Fuji, Istanbul

Upgrade guide

The upgrade notes below are intended for customers upgrading from either version 2.7.0 or 2.8.0 to version 2.9.0. If you are upgrading from a version earlier than 2.7.0, refer also to the upgrade guide for version 2.7.0 in the Release history for the Splunk Add-on for ServiceNow for additional upgrade steps.

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

This version of the add-on deprecates the input for the syslog table in ServiceNow. The input is still included for backwards compatibility, but Splunk recommends that you disable this input and instead enable the newly added sysevent input which is more performant. See Source types for the Splunk Add-on for ServiceNow.

New features

Version 2.9.0 of the Splunk Add-on for ServiceNow includes the following new features.

Date Ticket number Description
2016-06-01 ADDON-9369 Support for ServiceNow customers using Helsinki, Geneva or Fuji on a bare-metal deployment of ServiceNow.
2016-05-30 ADDON-8795 Support for a performance workaround to ingest display names from ServiceNow API rather than using saved searches.
2016-05-17 ADDON-5797 New modular input for sysevent table. Deprecation of syslog table.

Fixed issues

Version 2.9.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2016-06-08 ADDON-10123
 Add-on does not support new ServiceNow API parameter "sysparm_limit" that replaces "sysparm_record_count", causing incident data input to fail
2016-05-16 ADDON-8301 Can't find service-now.conf if a proxy is configured in $SPLUNK_HOME/etc/splunk-launch.conf.
2016-02-26 ADDON-7976
 Indexing stops when one of the metadata fields contains special characters
2016-02-12 ADDON-7766
 Add-on unable to retreive data due to unhandled 403 error

Known issues

Version 2.9.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-11-30 ADDON-6732
 Setup page error messages are unclear and do not identify the issue
2015-09-15 ADDON-5559
 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later.
Workaround: Follow the upgrade guide delete the old inputs before upgrading.
2015-09-08 ADDON-5387
 Cannot delete a field value when editing a custom alert action in Splunk version 6.3.0.
Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-06 ADDON-5349
 Custom alert actions do not offer any validation for alert action fields.
2015-08-19 ADDON-5015
 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results
2015-03-18 ADDON-3401
 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters
2015-03-03 ADDON-3254
 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts.
Workaround: Use the impact and urgency parameters instead of the priority value.
2014-12-24 SPL-91709 When using Splunk platform version 6.3 or earlier on Windows, splunkd times out on setup. Workaround: Upgrade to Splunk platform version 6.4 or refresh the page and try again.

Third-party software attributions

Version 2.9.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.8.0

Version 2.8.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.1 or later
CIM 4.0 or later
Platforms Platform Independent
Vendor Products ServiceNow Geneva, Fuji, Eureka

New features

Version 2.8.0 of the Splunk Add-on for ServiceNow includes the following new features.

Date Ticket number Description
2015-12- ADDON-5984 Support for ServiceNow version Geneva.
2015-12- ADDON-6109 Populate incident state lookup automatically using a saved search.

Fixed issues

Version 2.8.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2015-12-01 ADDON-6733 Need to add start_by_shell=false to the [snow] stanza of inputs.conf to avoid problems with orphaned modular input processes on Ubuntu.
2015-11-29 ADDON-6101 Change incident state lookup should rely on state field rather than on incident_state field.
2015-10-20 ADDON-5982 Data returned by the ServiceNow mod input is in the form of JSON object instead of key-value pair causing lookup to fail.
2015-10-19 ADDON-5985 TA-utils calculates add-on name using the installation path, causing connection issues for customers who install the add-on in an unexpected directory.

Known issues

Version 2.8.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2016-06-08 ADDON-10123
 Add-on does not support new ServiceNow API parameter "sysparm_limit" that replaces "sysparm_record_count", causing incident data input to fail
2016-03-15 ADDON-8301 Cannot load add-on's setup screen if a proxy is configured in $SPLUNK_HOME/etc/splunk-launch.conf.
2016-02-26 ADDON-7976
 Indexing stops when one of the metadata fields contains special characters
2016-02-12 ADDON-7766
 Add-on unable to retreive data due to unhandled 403 error
2016-01-30 ADDON-7646 FIPS mode is not supported by this add-on. For a workaround, see Add-ons and FIPS mode in the Splunk Add-ons manual.
2016-01-13 ADDON-5325 requireClientCert=true in server.conf is not supported by add-ons using modular inputs and REST. If this setting is enabled in server.conf, communication is broken between the modular input and splunkd and the add-on stops collecting data. The following error appears in the splunkd.log: "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate." The workaround is to set requireClientCert=false.
2015-10-30 ADDON-6732 Poor error message when user enters incorrect username or password in the setup UI.
2015-10-29 SPL-104398 For users running the Splunk platform on Ubuntu on versions prior to 6.3.0, the start_by_shell=false setting will not take effect and the Splunk platform will display a warning message on startup. Workaround: update your Splunk software to version 6.3.0 or later.
2015-09-15 ADDON-5559 Source type renames in version 2.7.0 of this add-on cause duplicate inputs to appear when you upgrade the add-on from any version previous to version 2.7.0 to version 2.7.0 or later. Workaround: Follow the upgrade guide delete the old inputs before upgrading.
2015-09-07 SPL-106370 / ADDON-5387 Cannot delete a field value when editing a custom alert action in Splunk version 6.3.0. Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-07 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.
2015-03-20 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
2015-03-12 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
2014-11-18 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.
2014-12-24 SPL-91709 When using Splunk platform version 6.3 or earlier on Windows, splunkd times out on setup. Workaround: Upgrade to Splunk platform version 6.4 or refresh the page and try again.

Third-party software attributions

Version 2.8.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.7.0

Version 2.7.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.1 or later
CIM 4.0 or later
Platforms Linux
Vendor Products ServiceNow Fuji, Eureka

Upgrade guide

Version 2.7.0 of this add-on removes support for ServiceNow versions Dublin and Calgary. The add-on retains backwards compatibility for these versions, so no migration activity is required as a result of this change.

The 2.7.0 version of the add-on uses a different API to connect to ServiceNow. The new API uses a different variation of the database table name for five tables in ServiceNow. If you had enabled these tables in the past, disable and delete these old inputs before upgrading the add-on to avoid confusion. Your old data remains valid and searchable, but all new data is indexed using the new naming.

1. Disable the following five inputs in your existing add-on:

  • cmdb_ci_list
  • cmn_location_list
  • sys_choice_list
  • sys_user_group_list
  • sys_user_list

2. Upgrade your add-on to version 2.7.0.

3. Open each of the new inputs and adjust the data collection start time to today to avoid collecting all historical data again.

  • cmdb_ci
  • cmn_location
  • sys_choice
  • sys_user_group
  • sys_user

4. Enable the new inputs.

5. Delete the five inputs ending with _list to avoid any future confusion.

ServiceNow version upgrade guide

If you were previously using the Splunk Add-on for ServiceNow with version Eureka, Dublin, or Calgary and you are now upgrading your ServiceNow instance to version Fuji, note the following behavior changes affecting incident and event creation and incident update:

1. Due to changes in ServiceNow version Fuji, snowincidentstream or snow_incident.py always creates a new incident rather than updating an existing incident, unless you supply the correlation_id for the existing incident that you wish to update.

2. Also, in ServiceNow versions Eureka, Dublin, or Calgary, for incident creation or update, if the combination of category, short_description, and contact_type, subcategory, and ci_identifier are not unique to a single incident, ServiceNow attempts to treat all affected tickets as the same ticket, causing conflicts. Similarly, for event creation, if the combination of node, resource, type, and severity are not unique to a single event, ServiceNow attempts to treat all affected events as the same event, causing conflicts. In ServiceNow version Fuji, ServiceNow no longer treats similar incidents or events as the same ticket unless the user provides an identical correlation_id.

New features

Version 2.7.0 of the Splunk Add-on for ServiceNow includes the following new feature.

Date Issue number Description
2015-09-10 ADDON-5035 On Splunk platform version 6.3.0, users can now perform push integration with ServiceNow using custom alert actions. In order to support this new feature, the argument opened_by is deprecated for incidents. It is now automatically set to the ServiceNow username of the account used for the Splunk integration with ServiceNow.

Fixed issues

Version 2.7.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
2015-09-10 ADDON-2384
/SPL-40332		 On Windows, lookup tables are not populated. Note: Fixed for Splunk platform 6.3.0 and later only.
2015-07-07 ADDON-4465 Unable to run snowincident searches on a search head cluster. Note: Fixed for Splunk platform 6.3.0 and later only.

Known issues

Version 2.7.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
2015-11-30 ADDON-6733 When using dash shell (the default shell in Ubuntu), the Splunk platform does not terminate modular input processes properly. Workaround: If running the Splunk platform on Ubuntu, add start_by_shell=false to the [snow] stanza of inputs.conf.
2015-10-29 SPL-104398 For users running the Splunk platform on Ubuntu, the start_by_shell=false setting will not take effect and the Splunk platform will display a warning message on startup. Workaround: update your Splunk software to version 6.3.0 or later.
2015-10-19 ADDON-6101 Change incident state lookup should rely on state field rather than on incident_state field.
2015-10-08 ADDON-5982 Data returned by the ServiceNow mod input is in the form of JSON object instead of key-value pair causing lookup to fail..
2015-10-08 ADDON-5985 TA-utils calculates add-on name using the installation path, causing connection issues for customers who install the add-on in an unexpected directory.
2015-09-15 ADDON-5559 Source type renames cause duplicate inputs to appear. Workaround: Follow the migration guide to delete the old inputs before upgrading to the new version of the add-on.
2015-09-07 SPL-106370 / ADDON-5387 Cannot delete a field value when editing a custom alert action. Workaround: Replace the field value that you want to delete with a whitespace.
2015-09-07 ADDON-5349 Custom alert actions do not offer any validation for alert action fields.
2015-08-18 ADDON-4935 Due to bug in ServiceNow version Dublin, incidents created from Splunk platform have an empty incident number.
2015-03-20 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
2015-03-12 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
2014-12-24 SPL-91709 On Windows, splunkd times out on setup.
2014-12-08 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
2014-11-18 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.7.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.6.1

Version 2.6.1 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.2, 6.1
CIM 4.2, 4.1, 4.0
Platforms Linux
Vendor Products ServiceNow Fuji, Eureka, Dublin, and Calgary

Fixed issues

Version 2.6.1 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
08/04/15 ADDON-4004 Add-on fails with KeyError: 'elements' when connecting through a proxy set up in splunk-launch.conf.
08/04/15 ADDON-4449 Event navigation from ServiceNow to Splunk platform does not work in Eureka.
08/04/15 ADDON-4478 Get "Exception: Invalid proxy type=None" even with proxy setting disabled.
08/04/15 ADDON-4458 None type error thrown when URL has not been configured.
07/05/15 ADDON-4295 Overriding the autoselection of ServiceNow version does not work.

Known issues

Version 2.6.1 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
08/18/15 ADDON-4935 Due to bug in ServiceNow version Dublin, incidents created from Splunk platform have an empty incident number.
07/06/15 ADDON-4465 Unable to run snowincident searches on a search head cluster.
03/20/15 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
03/12/15 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
12/24/14 SPL-86716 On Windows, splunkd times out on setup.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
11/25/14 ADDON-2384
/SPL-40332		 On Windows, lookup tables are not populated.
11/18/14 ADDON-2334 / ADDON-5015 Bug in ServiceNow can sometimes cause the timestamp in field sys_updated_on to be later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.6.1 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.6.0

Version 2.6.0 of the Splunk Add-on for ServiceNow has the same compatibility specifications as version 2.6.1.

New features

Date Defect number Description
04/14/15 ADDON-3707 Ship syslog, syslog_transaction, and sys_audit endpoints for data collecting by default
03/22/15 ADDON-3026 Support for ServiceNow version Fuji.
03/19/15 ADDON-2925 Support deep dive URLs in incidents.
03/04/15 ADDON-3236 Setup screen can automatically detect ServiceNow version.
03/04/15 ADDON-3200 Populate CSVs via saved searches for ServiceNow choice fields.

Fixed issues

Version 2.6.0 of the Splunk Add-on for ServiceNow fixes the following issues.

Date Defect number Description
04/13/15 ADDON-3678 The transpose command in the add-on conflicts with a command in the Search and Reporting app and causes problems with Splunk App for Enterprise Security.
04/10/15 ADDON-3576 Input fails on newlines in description field.
03/24/15 ADDON-2296 Workflow actions do not work in Splunk Enterprise 6.2.
03/12/15 ADDON-3302 Wildcards in sourcetype not working as expected.
03/12/15 ADDON-3254 Fail to set incident priority through search command "snowincident"
03/03/15 ADDON-3196 Commands.conf has default stanza globally impacting search commands.
02/10/15 ADDON-3022 Updates to non-mandatory parameters result in a new URL.

Known issues

Version 2.6.0 of the Splunk Add-on for ServiceNow has the following known issues.

Date Defect number Description
05/13/15 ADDON-4004 Add-on fails with KeyError: 'elements' when connecting through a proxy set up in splunk-launch.conf. Workaround: Do not use global proxy settings with add-ons. Instead, configure a proxy using the add-on's built-in proxy configuration support.
03/20/15 ADDON-3401 Add-on can successfully fetch data but fails to create incidents when user configures a ServiceNow URL ending in trailing slash or other spurious special characters.
03/12/15 ADDON-3254 ServiceNow (all versions) sets the priority for incidents based on their urgency and impact values, ignoring any priority value passed manually via search commands or scripts. Workaround: Use the impact and urgency parameters instead of the priority value.
12/24/14 SPL-86716 On Windows, splunkd times out on setup.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page if you zoom in.
11/25/14 ADDON-2384
/SPL-40332		 On Windows, lookup tables are not populated.
11/18/14 ADDON-2334 When running a search "sourcetype=snow:change_request", the timestamp (in field sys_updated_on) is later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.6.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Version 2.5.0

Version 2.5.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms.

Splunk Enterprise versions 6.2, 6.1
CIM 4.1, 4.0
Platforms Platform independent
Vendor Products ServiceNow Eureka, Dublin, and Calgary

New features

Version 2.5.0 of the Splunk Add-on for ServiceNow included the following new features.

Date Issue number Description
11/25/14 ADDON-683 The add-on is now Splunk supported.
11/25/14 ADDON-683 The add-on now ingests data to Ticket Management data model.
11/25/14 ADDON-683 The add-on gets data from ServiceNow CMDB API into Splunk Enterprise for data enrichment.
11/25/14 ADDON-683 Added the ability to create new incidents and events from Splunk Enterprise.
11/25/14 ADDON-683 Added the ability to manage incidents from Splunk Enterprise if they were created from Splunk Enterprise.
11/25/14 ADDON-1889 Added prebuilt panels.
11/25/14 ADDON-1878 Add-on now routes data to the main index by default.
11/14/14 ADDON-1857 Added support for ServiceNow versions Eureka and Dublin.

Fixed issues

Version 2.5.0 of the Splunk Add-on for ServiceNow fixed the following issues.

Date Defect number Description
12/18/14 ADDON-2317 Log level "FATAL" does not work.
12/18/14 ADDON-2335 Add-on fails to create event with custom search command when specifying time_of_event.
12/13/14 ADDON-2309 There is no column for "additional info" in ServiceNow in splunk_incident.

Known issues

Version 2.5.0 of the Splunk Add-on for ServiceNow had the following known issues.

Date Defect number Description
04/13/15 ADDON-3678 The transpose command in the add-on conflicts with a command in the Search and Reporting app and causes problems with Splunk App for Enterprise Security.
12/11/14 N/A The custom search commands and alert-triggered scripts included in this add-on are limited in their ability to create and update events in ServiceNow, per ServiceNow design. For incident creation or update, if the combination of category, short_description, and contact_type are not unique to a single incident, ServiceNow will attempt to treat all affected tickets as the same ticket, causing conflicts. Similarly, for event creation, if the combination of node, resource, type, and severity are not unique to a single event, ServiceNow will attempt to treat all affected events as the same event, causing conflicts.
12/08/14 ADDON-2392 Fields in Splunk Web UI are not aligned on data input page.
11/18/14 ADDON-2334 When running a search "sourcetype=snow:change_request", the timestamp (in field sys_updated_on) is later than "now", which can cause incomplete search results.

Third-party software attributions

Version 2.5.0 of the Splunk Add-on for ServiceNow incorporates the Httplib2 Python library.

Hardware and software requirements for the Splunk Add-on for ServiceNow

To install and configure the Splunk Add-on for ServiceNow, you must have an admin or sc_admin role. To perform push integration with ServiceNow, you must be an administrator or have the admin_all_objects capability in the Splunk platform. This requirement applies to custom commands and alert-triggered scripts.

ServiceNow setup requirements

See the following hardware and software requirements for ingesting data into your Splunk platform deployment from your ServiceNow instance. See the release notes of this manual to learn about supported versions of ServiceNow.

ServiceNow account requirements for integration

You must configure permissions in your ServiceNow account to collect data and for push integration. To set up push integration from the Splunk platform to ServiceNow, see Configure ServiceNow to integrate with the Splunk platform, which includes instructions for configuring access control rules that allow the ServiceNow account to access the data and to perform push integration enabled by the add-on.

If you do not use push integration, create an ACL that has read-only access to all database tables from which you want to collect data. Some of these database tables are restricted to administrators by default.

ServiceNow administrator access for setup

You must have an administrator account on your ServiceNow instance to set up integration with the Splunk platform. This is required to enable users to create ServiceNow incidents and events from the Splunk platform.

ServiceNow Event Management plugin

You must install and enable the Event Management plugin in your ServiceNow environment to:

  • Use the event-related workflow actions included in this add-on.
  • Support event-related push integration with ServiceNow.

To see which push integration features require the plugin, see About the commands, alert actions, and scripts available with the Splunk Add-on for ServiceNow. Install and enable the Event Management plugin before you perform the steps in Configure ServiceNow to integrate with the Splunk platform.

Without the Event Management plugin, you can use this add-on to pull data from ServiceNow and create and update incidents from the Splunk platform. You cannot create events from the Splunk platform without the Event Management plugin.

For more about the Event Management plugin, search for "Event Management" in the ServiceNow product documentation.

ServiceNow Oauth setup requirements

The Splunk Add-on for ServiceNow supports Oauth 2.0 communication between your ServiceNow instance and your Splunk platform deployment.

  1. Install and activate the Oauth plugin on your ServiceNow instance to use the feature of OAuth 2.0 from Splunk Add-on for ServiceNow.
  2. Verify the property com.snc.platform.security.oauth.is.active is set to true.

See Configure ServiceNow to integrate with the Splunk platform for detailed Oauth application registry setup at ServiceNow.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

  • For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
  • To run this add-on entirely in Splunk Cloud, there are no additional Splunk platform requirements.
  • For Splunk Light system requirements, see System Requirements in the Splunk Light Installation Manual.
  • To manage on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual.

For information about installation locations and environments, see Install the Splunk Add-on for ServiceNow.

Last modified on 15 October, 2024
Release notes for the Splunk Add-on for ServiceNow   Hardware and software requirements for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters