Splunk® Supported Add-ons

Splunk Add-on for ServiceNow

Download manual as PDF

Download topic as PDF

Set up the Splunk Add-on for ServiceNow

You can configure the Splunk Add-on for ServiceNow through Splunk Web or by modifying configuration files. Authenticate your ServiceNow accounts using one of the following processes:

  • Basic authentication
  • OAuth 2.0 authentication

Configure basic authentication either through Splunk Web or by making changes directly in configuration files. Due to the complexity of the setup, configuring this add-on through Splunk Web is a best practice. OAuth authentication must be configured through Splunk Web.

If you have a distributed Splunk platform deployment, you must perform these setup steps on your data collection nodes (usually one or more heavy forwarders) and on your search heads. Search head configuration is only necessary if you want to perform push integration from search commands, alert actions, and alert-triggered scripts.

If you are using this add-on with a search head cluster, perform these setup steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes. Click Settings > Show All Settings to see the set up link on your search head cluster node.

Set up basic authentication using Splunk Web

Complete these steps to set up the Splunk Add-on for ServiceNow using Splunk Web:

  1. In Splunk Web, navigate the Splunk Add-on for ServiceNow either by clicking the name of this add-on on the left navigation banner on through your Splunk platform Home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Go to the ServiceNow Account tab.
  3. Click Add.
  4. In the Add ServiceNow Account dialog box, fill in the required fields:
    Field Description
    Account Name Enter a unique account name.
    URL Enter the URL of your ServiceNow instance.
    Auth Type Select Basic Authentication
    Username Enter your ServiceNow account username.
    Password Enter your ServiceNow account password.
  5. Click Add:
    • If the entered information is authenticated successfully, the add-on saves the account information.
    • If you have entered incorrect credentials or url, an error message appears on the dialog box. If you see such message, verify the information you have entered and try again.

If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

Set up OAuth authentication using Splunk Web

The OAuth 2.0 specification only supports HTTPS redirects. Users need to turn on SSL for Splunk Web on the Splunk platform instance you are using for ServiceNow data collection. See Turn on encryption (https) with Splunk Web in the Splunk Enterprise security documentation for details on how to turn on SSL for Splunk Web.

OAuth Authentication configuration requires UI access to your ServiceNow Instance. User roles that do not have UI access will not be able to configure their ServiceNow account to use OAuth.

  1. In Splunk Web, navigate to the Splunk Add-on for ServiceNow homepage.
  2. On the Configuration page, click on the Accounts tab.
  3. Click Add.
  4. In the Add ServiceNow Account dialog box, fill in the required fields:
    Field Description
    Account Name Enter a unique account name.
    URL Enter URL of your ServiceNow instance
    Auth Type Select OAuth 2.0 Authentication
    Client ID Enter your ServiceNow Client ID
    Client Secret Enter your ServiceNow Client Secret
    Redirect URL Copy and paste the Redirect URL you see on the screen in your ServiceNow Application Registry and save it.
  5. Click Add.
  6. A popup opens for authorization consent from your ServiceNow instance. Enter your authorization credentials.
  7. Click Allow.
  8. User credentials used in configuration must have the following role: x_splu2_splunk_ser.Splunk

Optional Splunk Web configurations

Configure a proxy using Splunk Web

Follow these steps to configure a proxy using Splunk Web:

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Click the ServiceNow Proxy Setup tab.
  4. (Optional). If you are using a proxy, check Enable Proxy and fill in the required fields.
    Field Description
    Enable Proxy Indicates whether connection to ServiceNow occurs through a proxy.
    Proxy Host Hostname or IPAddress for the proxy connection
    Proxy Port Port for the proxy connection
    Proxy Username Username for the proxy connection
    Proxy Password Password for the proxy connection
    Use Proxy for DNS Resolution If you use the proxy to do DNS resolution. If your hostname is used in the proxy host when you use DNS resolution, this field is required.
    Proxy Type Type of proxy connection. Compatible values: http, http_no_tunnel, sock4 or sock5.
  5. Click Save to save your configurations
  6. .

Configure logging level using Splunk Web

  1. Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
  2. Click the Configuration tab.
  3. Go to the Logging tab.
  4. (Optional) If you want to change the logging level, select a new level from the drop-down menu.
  5. Click Save to save your configurations.

Set up the add-on using configuration files

Prerequisites

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps

Complete these steps to set up the Splunk Add-on for ServiceNow using configuration files:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_snow and create a /local directory if it does not already exist.
  2. Create a file called splunk_ta_snow_account.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory.
  3. For each unique account name you want to keep, create a stanza. Make the stanza name same as the account name:
    Stanza Setting Description
    [account_name] url The URL of your ServiceNow instance
    auth_type Enter the value basic
    username The username of the ServiceNow account — if you configured ServiceNow to integrate with the Splunk platform, use the same username that you configured during the integration for this step. If you did not perform this configuration, use an account that has, at minimum, read-only permissions to the database tables from which you want to collect data.
    password The password of the ServiceNow account
    record_count (Optional) The maximum number of records to retrieve from ServiceNow each time. The value must be larger than 0, and the default is 1000. To avoid performance issues, the count must be less than 10000.
    disable_ssl_certificate_validation (Optional) To disable SSL certificate validation, enter 1. The default is 0.
  4. (Optional) Review the default values for the settings in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/service_now.conf file. To use different values, create a file called service_now.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory. Add the stanzas and settings that you want to change to the file in the local directory.
    Stanza Setting Description
    [snow_default] priority Used by the job scheduler.
    display_value When grouping by reference or choice fields, the query returns either the display value, the actual value in the database, or both, based on this value. display_value=false returns actual values from the database. display_value=all returns both actual and display values. The default is "all".
  5. Review the values for the settings in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/splunk_ta_snow_settings.conf file. The values for the settings are listed in the following table. To use different values, create a file called splunk_ta_snow_settings.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local directory. Add only the stanzas and settings that you want to change to the file in the local directory.
    Stanza Setting Description
    [logging] loglevel Specifies the verbosity of the logs. Default is INFO. Log level can be DEBUG, INFO, WARNING, ERROR or CRITICAL.
    [proxy] proxy_enabled Indicates whether connection to ServiceNow occurs through a proxy. The default is false.
    proxy_url Hostname or IP address for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_port Port for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_username Username for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_password Password for the proxy connection, which is invoked only if proxy_enabled is set to true.
    proxy_rdns If you use the proxy to do DNS resolution, set this value to 1. The default is 0.
    proxy_type The default is http. Other accepted values are http_no_tunnel, socks4, and socks5.
  6. Save your changes.
  7. Restart your Splunk instance.

If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.

Last modified on 04 August, 2020
PREVIOUS
Configure ServiceNow to integrate with the Splunk platform
  NEXT
Configure inputs for the Splunk Add-on for ServiceNow

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters