Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Set up the Splunk Add-on for ServiceNow

You can configure the Splunk Add-on for ServiceNow through Splunk Web or by modifying configuration files. If your Splunk platform deployment is distributed, you must perform these setup steps on your data collection nodes (usually one or more heavy forwarders) and on your search heads. Search head configuration is only necessary if you want to perform push integration from search commands, alert actions, and alert-triggered scripts.

If you are using this add-on with a search head cluster, perform these setup steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes. Click Settings > Show All Settings to see the set up link on your search head cluster node.

Set up using Splunk Web

Complete these steps to set up the Splunk Add-on for ServiceNow using Splunk Web:

  1. Go to the add-on's landing page, either by clicking the name of this add-on on the left navigation banner on your Splunk platform's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Go to the ServiceNow Account tab.
  4. Click Add.
  5. In the Add ServiceNow Account dialog box, fill in the required fields:
    Field Description
    Account Name Enter a unique account name.
    URL Enter the URL of your ServiceNow instance.
    Username Enter your ServiceNow account username.
    Password Enter your ServiceNow account password.
  6. Click Add:
    • If the entered information is authenticated successfully, the add-on saves the account information.
    • If you have entered incorrect credentials or url, an error message appears on the dialog box. If you see such message, verify the information you have entered and try again.
If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

Configure a proxy using Splunk Web

Follow these steps to configure a proxy using Splunk Web:

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Click the ServiceNow Proxy Setup tab.
  4. (Optional). If you are using a proxy, check Enable Proxy and fill in the required fields.
  5. Click Save to save your configurations.

Configure logging level using Splunk Web

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Go to the Logging tab.
  4. (Optional) If you want to change the logging level, select a new level from the drop-down menu.
  5. Click Save to save your configurations.

Set up the add-on using configuration files

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_snow and create a /local directory if it does not already exist.
  2. Create splunk_ta_snow_account.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local.
  3. For each unique account name you want to keep, create a stanza. Make the stanza name same as the account name:
    Stanza Argument Description
    [account_name] url The URL of your ServiceNow instance
    username The username of the ServiceNow account — if you configured ServiceNow to integrate with the Splunk platform, use the same username that you configured during the integration for this step. If you did not perform this configuration, use an account that has, at minimum, read-only permissions to the database tables from which you want to collect data.
    password The password of the ServiceNow account
    record_count (Optional) The maximum number of records to retreive from ServiceNow each time. The value must be larger than 0, and the default is 1000. To avoid performance issues, the count must be less than 10000.
    disable_ssl_certificate_validation (Optional) To disable SSL certificate validation, enter 1. The default is 0.
  4. (Optional) Copy Splunk_TA_snow/default/service_now.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local. Configure the values using the following table:
    Stanza Argument Description
    [snow_default] priority Used by the job scheduler.
    display_value When grouping by reference or choice fields, the query returns either the display value, the actual value in the database, or both, based on this value. display_value=false returns actual values from the database. display_value=all returns both actual and display values. The default is "all".
  5. Copy Splunk_TA_snow/default/splunk_ta_snow_settings.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local, if it does not already exist. Configure the values using the following table:
    Stanza Argument Description
    [logging] loglevel Specifies the verbosity of the logs. Default is INFO. Log level can be DEBUG, INFO, WARNING, ERROR or CRITICAL.
    [proxy] proxy_enabled Indicates whether connection to ServiceNow occurs through a proxy. The default is false.
    proxy_url URL or IP address for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_port Port for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_username Username for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_password Password for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_rdns If you use the proxy to do DNS resolution, set this value to 1. The default is 0.
    proxy_type The default is http. Other accepted values are http_no_tunnel, socks4, and socks5.
  6. Save your changes.
  7. Restart your Splunk instance.

If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

PREVIOUS
Configure ServiceNow to integrate with the Splunk platform
  NEXT
Configure inputs for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters