Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for ServiceNow

Version 7.7.0 of the Splunk Add-on for ServiceNow was released on December 8, 2023.


Version 7.7.0 of the Splunk Add-on for ServiceNow is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x, 9.1.x
CIM 5.1.0
Supported OS for data collection Platform Independent
Vendor products ServiceNow Quebec, Rome, San Diego, Tokyo, Utah, and Vancouver

Splunk has reviewed and updated the field aliases in this add-on for compatibility with the new field alias behavior change available from Splunk v7.3.4 and above.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 7.7.0 of the Splunk Add-on for ServiceNow includes the following new features:

  • Added support for ServiceNow Vancouver.

Version 6.3.0 and above of the Splunk Add-on for ServiceNow deprecates support for events fetched through the display_value = false (extractions and Common Information Model (CIM) mappings) setting. The best practice is to set display_value to all in your deployment going forward and to revert the extractions in your props.conf accordingly. For more information, see the Edit the display values for the ServiceNow API section of the Upgrade topic in this manual.

From the ServiceNow add-on release 7.2.1 onward, we have removed the support of HTTP_NO_TUNNEL and SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

Fixed issues

Version 7.7.0 of the Splunk Add-on for ServiceNow has the following, if any, fixed issues. If no issues appear below, no issues have yet been reported:

Known issues

Version 7.7.0 of the Splunk Add-on for ServiceNow has the following known issues. If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2023-07-18 ADDON-63502 Service Now TA Integration not returning Incident value to ITSI : returning SPL instead of INC prefix when passing Default endpoint arguments

Remove the default value (/api/now/table/x_splu2_splunk_ser_u_splunk_incident) from the scripted_endpoint textbox.
2022-09-13 ADDON-55704 Data miss due to active updation of records during data collection
2021-03-06 ADDON-34668 ITSI ServiceNow TA passing timestamp in wrong format

1. From the ServiceNow interface, select Transform Maps under the System Import Sets -> Administration section and search for "Splunk Incident Transformation" under the Name column.

2. Click on the Splunk Incident Transformation transform map then scroll down under "Field Maps" till you find "sys_created_on" under the "Source Field" column.
3. Click on the "sys_created_on" row.
4. Change the Date format field from "yyyy-MM-dd hh:mm:ss" to "yyyy-MM-dd HH:mm:ss" and click Update at the top right corner.
5. Again click on Update to update the "Splunk Incident Transformation" transform map.

Note: In some of the ServiceNow versions (eg. San Diego), it has been observed that UI is rendering the date format with 'HH' time stamp even though 'hh' is there in the backend. So to fix this type of issue open the transform mapping of 'sys_created_on' and remove the date format value whichever is present and re-update that with "yyyy-MM-dd HH:mm:ss" value.

2019-09-10 ADDON-23239 Getting ERROR exception logs in splunkd.log for Inputs Page

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a document file for download:
Splunk Add-on for ServiceNow third-party software credits.

Last modified on 07 February, 2024
Source types for the Splunk Add-on for ServiceNow
Release history for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters