Set up the Splunk Add-on for ServiceNow
You can configure the Splunk Add-on for ServiceNow through Splunk Web or by modifying configuration files. Authenticate your ServiceNow accounts using one of the following processes:
- Basic authentication
- OAuth 2.0 authentication
Configure basic authentication either through Splunk Web or by making changes directly in configuration files. Due to the complexity of the setup, configuring this add-on through Splunk Web is a best practice. OAuth authentication must be configured through Splunk Web.
If you have a distributed Splunk platform deployment, you must perform these setup steps on your data collection nodes (usually one or more heavy forwarders) and on your search heads. Search head configuration is only necessary if you want to perform push integration from search commands, alert actions, and alert-triggered scripts.
If you are using this add-on with a search head cluster, perform these setup steps on one search head node in Splunk Web. The cluster syncs the settings to your other nodes. Click Settings > Show All Settings to see the set up link on your search head cluster node.
Set up basic authentication using Splunk Web
Complete these steps to set up the Splunk Add-on for ServiceNow using Splunk Web:
Basic Authentication configuration requires access to the user interface of your ServiceNow Instance. User roles that do not have user interface access can't configure their ServiceNow account to use Basic Authentication.
- In Splunk Web, navigate the Splunk Add-on for ServiceNow either by clicking the name of this add-on on the left navigation banner on through your Splunk platform Home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
- Go to the ServiceNow Account tab.
- Click Add.
- In the Add ServiceNow Account dialog box, fill in the required fields:
Field Description Account Name Enter a unique account name. URL Enter the URL of your ServiceNow instance. Auth Type Select Basic Authentication Username Enter your ServiceNow account username. Password Enter your ServiceNow account password. Record Count Enter the maximum number of records to be fetched at each API call to the database tables. Value must be between 1 and 10000. Default is 3000. Note: Reducing the record count value will result in slower data collection rate.
- Click Add:
- If the entered information is authenticated successfully, the add-on saves the account information.
- If you have entered incorrect credentials or an incorrect url, an error message appears on the dialog box. If you see such message, verify the information you have entered and try again.
If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.
Set up OAuth authentication using Splunk Web
The OAuth 2.0 specification only supports HTTPS redirects. Users need to turn on SSL for Splunk Web on the Splunk platform instance you are using for ServiceNow data collection. See Turn on encryption (https) with Splunk Web in the Splunk Enterprise security documentation for details on how to turn on SSL for Splunk Web.
OAuth Authentication configuration requires UI access to your ServiceNow Instance. User roles that do not have UI access will not be able to configure their ServiceNow account to use OAuth.
- In Splunk Web, navigate to the Splunk Add-on for ServiceNow homepage.
- On the Configuration page, click on the Accounts tab.
- Click Add.
- In the Add ServiceNow Account dialog box, fill in the required fields:
Field Description Account Name Enter a unique account name. URL Enter URL of your ServiceNow instance Auth Type Select OAuth 2.0 Authentication Client ID Enter your ServiceNow Client ID Client Secret Enter your ServiceNow Client Secret Redirect URL Copy and paste the Redirect URL you see on the screen in your ServiceNow Application Registry and save it. Record Count Enter the maximum number of records to be fetched at each API call to the database tables. Value must be between 1 and 10000. Default is 3000. - Click Add.
- A popup opens for authorization consent from your ServiceNow instance. Enter your authorization credentials. If you have SSO, SAML or other authentication set up, enter the authorization credentials in the popup. Ensure that you complete authentication process in less than 30 seconds.
- Click Allow.
User credentials used in configuration must have the following role: x_splu2_splunk_ser.Splunk
Optional Splunk Web configurations
Configure a proxy using Splunk Web
Follow these steps to configure a proxy using Splunk Web:
- Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
- Click the Configuration tab.
- Click the ServiceNow Proxy Setup tab.
- (Optional). If you are using a proxy, check Enable Proxy and fill in the required fields.
Field Description Enable Proxy Indicates whether connection to ServiceNow occurs through a proxy. Proxy Host Hostname or IPAddress for the proxy connection Proxy Port Port for the proxy connection Proxy Username Username for the proxy connection Proxy Password Password for the proxy connection Use Proxy for DNS Resolution If you use the proxy to do DNS resolution. If your hostname is used in the proxy host when you use DNS resolution, this field is required. Proxy Type Type of proxy connection. Compatible values: http
, orsock5
. - Click Save to save your configurations .
Configure logging level using Splunk Web
- Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the left navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
- Click the Configuration tab.
- Go to the Logging tab.
- (Optional) If you want to change the logging level, select a new level from the drop-down menu.
- Click Save to save your configurations.
Configure api selection using Splunk Web
- Go to the Splunk Add-on for ServiceNow's landing page, either by clicking the name of this add-on on the navigation banner on your on the Splunk software's home page or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for ServiceNow.
- Click the Configuration tab.
- Go to the API Selection tab.
- (Optional) If you want to change the API for incident creation, select a new value from the drop-down menu.
- Click Save to save your configurations.
- Check the section About Table API and Import Set API if you are switching to Import Set API.
Set up the add-on using configuration files
- Splunk Cloud Platform
- Use the Splunk Web steps for setting up the add-on, as described in the previous sections. You can't set up the add-on using the configuration files.
- Splunk Enterprise
- To set up the Splunk Add-on for ServiceNow using the configuration files, follow these steps.
- Prerequisites
- Only users with file system access, such as system administrators, can set up the Splunk Add-on for ServiceNow using configuration files.
- Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
- You can have configuration files with the same name in your default, local, and app directories. Read Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.
- Steps
- Complete these steps to set up the Splunk Add-on for ServiceNow using configuration files:
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_snow
and create a/local
directory if it does not already exist.- Navigate to
- Create a file called
splunk_ta_snow_account.conf
in the$SPLUNK_HOME/etc/apps/Splunk_TA_snow/local
directory.- Create a file called
- For each unique account name you want to keep, create a stanza. Make the stanza name same as the account name:
Stanza Setting Description [account_name]
url The URL of your ServiceNow instance auth_type Enter the value basic username The username of the ServiceNow account — if you configured ServiceNow to integrate with the Splunk platform, use the same username that you configured during the integration for this step. If you did not perform this configuration, use an account that has, at minimum, read-only permissions to the database tables from which you want to collect data. password The password of the ServiceNow account record_count (Optional) The maximum number of records to retrieve from ServiceNow each time. The value must be between 1 and 10000, and the default is 3000. To avoid performance issues, the count must be less than 10000. disable_ssl_certificate_validation (Optional) To disable SSL certificate validation, enter 1. The default is 0. - (Optional) Review the default values for the settings in the
$SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/service_now.conf
file. To use different values, create a file calledservice_now.conf
in the$SPLUNK_HOME/etc/apps/Splunk_TA_snow/local
directory. Add the stanzas and settings that you want to change to the file in thelocal
directory.- (Optional) Review the default values for the settings in the
Stanza Setting Description [snow_default] priority Used by the job scheduler. display_value When grouping by reference or choice fields, the query returns either the display value, the actual value in the database, or both, based on this value. display_value=false
returns actual values from the database.display_value=all
returns both actual and display values. The default is "all". It is a best practice to setdisplay_value
toall
, as it provides better performance.Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through the
display_value=false
(extractions and Common Information Model (CIM) mappings) setting.- Review the values for the settings in the
$SPLUNK_HOME/etc/apps/Splunk_TA_snow/default/splunk_ta_snow_settings.conf
file. The values for the settings are listed in the following table. To use different values, create a file calledsplunk_ta_snow_settings.conf
in the$SPLUNK_HOME/etc/apps/Splunk_TA_snow/local
directory. Add only the stanzas and settings that you want to change to the file in thelocal
directory.Stanza Setting Description [logging] loglevel Specifies the verbosity of the logs. Default is INFO
. Log level can beDEBUG
,INFO
,WARNING
,ERROR
orCRITICAL
.[proxy] proxy_enabled Indicates whether connection to ServiceNow occurs through a proxy. The default is false. proxy_url Hostname or IP address for the proxy connection, which is invoked only if proxy_enabled
is set to true.proxy_port Port for the proxy connection, which is invoked only if proxy_enabled
is set to true.proxy_username Username for the proxy connection, which is invoked only if proxy_enabled
is set to true.proxy_password Password for the proxy connection, which is invoked only if proxy_enabled
is set to true.proxy_rdns If you use the proxy to do DNS resolution, set this value to 1. The default is 0. proxy_type The default is http. Other accepted value is socks5. [api_selection] selected_api Specifies the API to use for creating incident in ServiceNow plateform. Default is table_api
. Selected API can betable_api
orimport_set_api
. - Save your changes.
- Restart your Splunk instance.
- If you have multiple search heads that are not in a search head cluster, perform these preceding steps on each search head to support search-time push integration. Configure data collection only on your data collection nodes, typically one or more heavy forwarders.
About Table API and Import Set API
The Table API provides endpoints that allow you to perform create, read, update, and delete (CRUD) operations on existing tables. The calling user must have sufficient roles to access the data in the table specified in the request. Checkout this documentation for more information on Table API.
The Import Set API provides endpoints that allow you to interact with import set tables. The API transforms incoming data based on associated transform maps. The import set API supports synchronous transforms. Checkout this documentation for more information on Import Set API.
Why Switch to Import Set API from Table API
If you are facing issues related to duplication of Incident (more than one incident that has the same correlation_id), then this issue can be resolved by switching to Import Set API. Along with swiching to Import Set API, set the glide.import_set_insert_serialized.x_splu2_splunk_ser_u_splunk_incident
property to true. Checkout this documentation for more details.
Add SSL certificate to trust lists
If you encounter a SSLHandshakeError
:
- The SSL certificate entry might be missing from your certificate store.
- The ServiceNow server is configured over a self-signed certificate and isn't present in the library's certificate store. Follow the below steps to resolve the issue:
- Download the root CA certificate used in your ServiceNow deployment.
- Copy the contents of the new certificate.
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_snow
. - Create a new <certs_file>.pem file and add the content of the new certificate. Append the new certificate content if the file is already present.
- Open the
local/splunk_ta_snow_settings.conf
file in a text editor, create a new one if not present. - Add the
ca_certs_path
parameter value as below: - Save your changes.
- Restart your Splunk instance.
[additional_parameters] ca_certs_path=/opt/splunk/etc/apps/Splunk_TA_snow/custom_ca_certs.pem # <absolute path to the <certs_file>.pem file>
Certificate of all the ServiceNow servers configured in the add-on must be present under
Configure ServiceNow to integrate with the Splunk platform | Configure inputs for the Splunk Add-on for ServiceNow |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!