Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Set up the Splunk Add-on for ServiceNow

You can configure the Splunk Add-on for ServiceNow through Splunk Web or by modifying configuration files. Authenticate your ServiceNow accounts using one of the following processes:

  • Basic authentication
  • OAuth 2.0 authentication

Configure basic authentication either through Splunk Web or by making changes directly in configuration files. Due to the complexity of the setup, configuring this add-on through Splunk Web is a best practice. OAuth authentication must be configured through Splunk Web.

If you have a distributed Splunk platform deployment, you must perform these setup steps on your data collection nodes (usually one or more heavy forwarders) and on your search heads. Search head configuration is only necessary if you want to perform push integration from search commands, alert actions, and alert-triggered scripts.

If you are using this add-on with a search head cluster, perform these setup steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes. Click Settings > Show All Settings to see the set up link on your search head cluster node.

Set up basic authentication using Splunk Web

Complete these steps to set up the Splunk Add-on for ServiceNow using Splunk Web:

Basic Authentication configuration requires access to the user interface of your ServiceNow Instance. User roles that do not have user interface access can't configure their ServiceNow account to use Basic Authentication.

  1. In Splunk Web, navigate the Splunk Add-on for ServiceNow either by clicking the name of this add-on on the left navigation banner on through your Splunk platform Home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Go to the ServiceNow Account tab.
  3. Click Add.
  4. In the Add ServiceNow Account dialog box, fill in the required fields:
    Field Description
    Account Name Enter a unique account name.
    URL Enter the URL of your ServiceNow instance.
    Auth Type Select Basic Authentication
    Username Enter your ServiceNow account username.
    Password Enter your ServiceNow account password.
    Record Count Enter the maximum number of records to be fetched at each API call to the database tables. Value must be between 1 and 10000. Default is 3000.

    Note: Reducing the record count value will result in slower data collection rate.

  5. Click Add:
    • If the entered information is authenticated successfully, the add-on saves the account information.
    • If you have entered incorrect credentials or an incorrect url, an error message appears on the dialog box. If you see such message, verify the information you have entered and try again.

If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

Set up OAuth authentication using Splunk Web

The OAuth 2.0 specification only supports HTTPS redirects. Users need to turn on SSL for Splunk Web on the Splunk platform instance you are using for ServiceNow data collection. See Turn on encryption (https) with Splunk Web in the Splunk Enterprise security documentation for details on how to turn on SSL for Splunk Web.

OAuth Authentication configuration requires UI access to your ServiceNow Instance. User roles that do not have UI access will not be able to configure their ServiceNow account to use OAuth.

  1. In Splunk Web, navigate to the Splunk Add-on for ServiceNow homepage.
  2. On the Configuration page, click on the Accounts tab.
  3. Click Add.
  4. In the Add ServiceNow Account dialog box, fill in the required fields:
    Field Description
    Account Name Enter a unique account name.
    URL Enter URL of your ServiceNow instance
    Auth Type Select OAuth 2.0 Authentication
    Client ID Enter your ServiceNow Client ID
    Client Secret Enter your ServiceNow Client Secret
    Redirect URL Copy and paste the Redirect URL you see on the screen in your ServiceNow Application Registry and save it.
    Record Count Enter the maximum number of records to be fetched at each API call to the database tables. Value must be between 1 and 10000. Default is 3000.
  5. Click Add.
  6. A popup opens for authorization consent from your ServiceNow instance. Enter your authorization credentials. If you have SSO, SAML or other authentication set up, enter the authorization credentials in the popup. Ensure that you complete authentication process in less than 30 seconds.
  7. Click Allow.
  8. User credentials used in configuration must have the following role: x_splu2_splunk_ser.Splunk

Optional Splunk Web configurations

Configure a proxy using Splunk Web

Follow these steps to configure a proxy using Splunk Web:

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Click the ServiceNow Proxy Setup tab.
  4. (Optional). If you are using a proxy, check Enable Proxy and fill in the required fields.
    Field Description
    Enable Proxy Indicates whether connection to ServiceNow occurs through a proxy.
    Proxy Host Hostname or IPAddress for the proxy connection
    Proxy Port Port for the proxy connection
    Proxy Username Username for the proxy connection
    Proxy Password Password for the proxy connection
    Use Proxy for DNS Resolution If you use the proxy to do DNS resolution. If your hostname is used in the proxy host when you use DNS resolution, this field is required.
    Proxy Type Type of proxy connection. Compatible values: http, or sock5.
  5. Click Save to save your configurations
  6. .

Configure logging level using Splunk Web

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Go to the Logging tab.
  4. (Optional) If you want to change the logging level, select a new level from the drop-down menu.
  5. Click Save to save your configurations.

Configure api selection using Splunk Web

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Go to the API Selection tab.
  4. (Optional) If you want to change the API for incident creation, select a new value from the drop-down menu.
  5. Click Save to save your configurations.
  6. Check the section About Table API and Import Set API if you are switching to Import Set API.

Set up the add-on using configuration files

Splunk Cloud Platform
Use the Splunk Web steps for setting up the add-on, as described in the previous sections. You can't set up the add-on using the configuration files.
Splunk Enterprise
To set up the Splunk Add-on for ServiceNow using the configuration files, follow these steps.
Prerequisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps
Complete these steps to set up the Splunk Add-on for ServiceNow using configuration files:
  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow and create a /local directory if it does not already exist.
  2. Create a file called splunk_ta_snow_account.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory.
  3. For each unique account name you want to keep, create a stanza. Make the stanza name same as the account name:
  4. Stanza Setting Description
    [account_name] url The URL of your ServiceNow instance
    auth_type Enter the value basic
    username The username of the ServiceNow account — if you configured ServiceNow to integrate with the Splunk platform, use the same username that you configured during the integration for this step. If you did not perform this configuration, use an account that has, at minimum, read-only permissions to the database tables from which you want to collect data.
    password The password of the ServiceNow account
    record_count (Optional) The maximum number of records to retrieve from ServiceNow each time. The value must be between 1 and 10000, and the default is 3000. To avoid performance issues, the count must be less than 10000.
    disable_ssl_certificate_validation (Optional) To disable SSL certificate validation, enter 1. The default is 0.
  5. (Optional) Review the default values for the settings in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/service_now.conf file. To use different values, create a file called service_now.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory. Add the stanzas and settings that you want to change to the file in the local directory.
  6. Stanza Setting Description
    [snow_default] priority Used by the job scheduler.
    display_value When grouping by reference or choice fields, the query returns either the display value, the actual value in the database, or both, based on this value. display_value=false returns actual values from the database. display_value=all returns both actual and display values. The default is "all". It is a best practice to set display_value to all, as it provides better performance.

    Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through thedisplay_value=false (extractions and Common Information Model (CIM) mappings) setting.

  7. Review the values for the settings in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/splunk_ta_snow_settings.conf file. The values for the settings are listed in the following table. To use different values, create a file called splunk_ta_snow_settings.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory. Add only the stanzas and settings that you want to change to the file in the local directory.
    Stanza Setting Description
    [logging] loglevel Specifies the verbosity of the logs. Default is INFO. Log level can be DEBUG, INFO, WARNING, ERROR or CRITICAL.
    [proxy] proxy_enabled Indicates whether connection to ServiceNow occurs through a proxy. The default is false.
    proxy_url Hostname or IP address for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_port Port for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_username Username for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_password Password for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_rdns If you use the proxy to do DNS resolution, set this value to 1. The default is 0.
    proxy_type The default is http. Other accepted value is socks5.
    [api_selection] selected_api Specifies the API to use for creating incident in ServiceNow plateform. Default is table_api. Selected API can be table_api or import_set_api.
  8. Save your changes.
  9. Restart your Splunk instance.
If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

About Table API and Import Set API

The Table API provides endpoints that allow you to perform create, read, update, and delete (CRUD) operations on existing tables. The calling user must have sufficient roles to access the data in the table specified in the request. Checkout this documentation for more information on Table API.

The Import Set API provides endpoints that allow you to interact with import set tables. The API transforms incoming data based on associated transform maps. The import set API supports synchronous transforms. Checkout this documentation for more information on Import Set API.

Why Switch to Import Set API from Table API

If you are facing issues related to duplication of Incident (more than one incident that has the same correlation_id), then this issue can be resolved by switching to Import Set API. Along with swiching to Import Set API, set the glide.import_set_insert_serialized.x_splu2_splunk_ser_u_splunk_incident property to true. Checkout this documentation for more details.

Add SSL certificate to trust lists

If you encounter a SSLHandshakeError:

  • The SSL certificate entry might be missing from your certificate store.
  • The ServiceNow server is configured over a self-signed certificate and isn't present in the library's certificate store. Follow the below steps to resolve the issue:
  1. Download the root CA certificate used in your ServiceNow deployment.
  2. Copy the contents of the new certificate.
  3. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_snow.
  4. Create a new <certs_file>.pem file and add the content of the new certificate. Append the new certificate content if the file is already present.
  5. Open the local/splunk_ta_snow_settings.conf file in a text editor, create a new one if not present.
  6. Add the ca_certs_path parameter value as below:
  7. [additional_parameters]
    ca_certs_path=/opt/splunk/etc/apps/Splunk_TA_snow/custom_ca_certs.pem # <absolute path to the <certs_file>.pem file>
    
  8. Save your changes.
  9. Restart your Splunk instance.

Certificate of all the ServiceNow servers configured in the add-on must be present under .pem file if ca_certs_path parameter is being used as mentioned in the above steps.

Last modified on 06 September, 2024
Configure ServiceNow to integrate with the Splunk platform   Configure inputs for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters