Integrate ServiceNow data with Splunk Asset and Risk Intelligence data

Integrate ServiceNow data with Splunk Asset and Risk Intelligence data by doing either of the following:

Pull data from ServiceNow

Pull data from ServiceNow using the Splunk Add-on for ServiceNow. To pull data from ServiceNow for use in Splunk Asset and Risk Intelligence, follow these steps:

1. Install the Splunk Add-on for ServiceNow on a search head and configure it to connect to your ServiceNow environment. You can download the Splunk Add-on for ServiceNow from Splunkbase.
2. Using the Splunk Add-on for ServiceNow, configure data inputs to pull the asset data into Splunk Asset and Risk Intelligence on a set schedule. Most users use the following ServiceNow inputs:
   • cmdb_ci_server
   • cmdb_ci_computer
3. After Splunk Asset and Risk Intelligence begins ingesting data from ServiceNow, add the ServiceNow data source on the Data source management page. The following known data sources are pre-configured to work with the Splunk Add-on for ServiceNow:
   • CMDB CI Server
   • CMDB CI Computer

   You might need to validate the event search for each of these sources and apply the correct index or sourcetype.

4. Set the data sources to Passive because the sys_updated_on field date assigned to each asset doesn't typically indicate network activity. Instead, it indicates when the asset was last updated or last edited in the ServiceNow CMDB.

Push data to ServiceNow

You can push data to ServiceNow from Splunk Asset and Risk Intelligence using the ServiceNow sync configuration page. The ServiceNow sync configuration creates one or more scheduled searches in which the output of each search is pushed to an import set in ServiceNow. You can use multiple scheduled searches if you want to push different subsets of the data or if you want to push to different import sets in ServiceNow.

To push data to ServiceNow from Splunk Asset and Risk Intelligence, follow these steps:

1. Create an import set table and an associated transform map in ServiceNow to receive and process the data.
2. Enter your ServiceNow service account credentials in Splunk Asset and Risk Intelligence.
3. Create an inventory search and map to the fields in the import set.
4. Schedule the search and configure the alert action.

Step 1: Create an import set table and transform map in ServiceNow

An import set table acts as a staging location for records imported from a data source before it transforms those records. The integration uses a REST API to push the data to the import set table.

Create an import set table, and then create a Transform Map in ServiceNow to convert the data held within the import set table to another table according to the rules defined in the transform map. In ServiceNow, follow these steps:

1. Create an Import Set table in ServiceNow.
   1. Select System Web Services then Inbound and then Create New.
   2. Add the fields from Splunk Asset and Risk Intelligence that you want in ServiceNow.
2. Create a Transform Map in ServiceNow.
   1. Select System Import Sets and then Create Transform Map.
   2. Give the transform map a Name.
   3. Set the import set table as the Source table.
   4. Select a Target table, such as cmdb_ci_server.
   5. Select the check box for Create a new record on empty coalesce fields if you want to create new asset records in the target table when the asset does not already exist.
3. Create the mapping from the import set source table to the target table.
   1. select System Import Sets then Administration and then Transform maps.
   2. Select the transform that you just created.
   3. In the Related Links section, select Mapping Assist.
   4. Map the source fields from the import set table to the target table.
   5. Select Save after all the fields are mapped.
   6. In the Field Maps table, find the source field that you want to be the Key Field for the data set. The key field uniquely identifies the asset for your ServiceNow environment. For example, this could be hostname or serial, but it might be something else. Then change the Coalesce column value to true.
   7. Select Update to save the key field change.
4. Configure synchronous transformations to allow for multiple record updates.
   1. Select System Web Services then REST and then Insert Multiple.
   2. Select New and then provide a Name.
   3. Set your newly created import set table as the source table.
   4. Change the transformation to Synchronous.
   5. Select Submit.
   6. Select the row that you just created.
   7. In the Column mappings table, select New.
   8. Select the following values:
      • Type: JSON
      • Column mapping: Column name
   9. Select Submit.

For more information on import sets and transform maps, see the ServiceNow documentation on import sets.

By default, ServiceNow import set field values have a character restriction of 40. You might need to edit the ServiceNow data dictionary for import set fields, such as u_serial_number, to extend the allowable length. For example, a VMware serial number is over 40 characters, and ServiceNow only records the first 40 characters if you don't increase the field character limit before importing.

Step 2: Enter your ServiceNow service account credentials in Splunk Asset and Risk Intelligence

To push data to Splunk Asset and Risk Intelligence, you must have credentials for ServiceNow. Create a service account in ServiceNow with permissions to the import set and any transform rules or mappings. Then, enter those credentials in Splunk Asset and Risk Intelligence. To do so, follow these steps:

1. In Splunk Asset and Risk Intelligence, select Admin then Integrations and then ServiceNow sync configuration.
2. Enter the URL to your ServiceNow environment. The URL must begin with https:// and must not include any additional path. For example: https://myserver.service-now.com.

   Don't include the import set table name at the end of this path.

3. Enter the username and password for the ServiceNow service account that you created.
4. (Optional) Check the configuration before submitting.
5. Select Submit.

Step 3: Create an inventory search and map fields

You must create a search to identify the asset data that you want to import into ServiceNow and to ensure that the data is sent with the correct and expected fields. For example, the following search checks for servers discovered in the past 7 days and maps the fields in Splunk Asset and Risk Intelligence to fields that are found within a ServiceNow CMDB environment:

| inputlookup ari_network_asset_inventory [| makeresults | eval search="where lastdetect>\"".relative_time(now(),"-7d")."\""] asset_type="Server" | rename nt_host AS u_host_name, vendor AS u_manufacturer, product AS u_model_id, asset_type AS u_sys_class_name, serial AS u_serial_number, user_id AS u_assigned_to, os AS u_os, os_version AS u_os_version, dns AS u_dns_domain, asset_class AS u_chassis_type, category AS u_short_description, mem AS u_ram, cpu_mhz AS u_cpu_speed, cpu_count AS u_cpu_count, cpu_cores AS u_cpu_core_count, city AS u_city, state AS u_state, country AS u_country, location_id AS u_location, lastdetect AS u_most_recent_discovery | eval u_discovery_source="ARI" | fields u_* | convert ctime(u_most_recent_discovery) timeformat="%Y-%m-%d %H:%M:%S"

In this example, the fields in the ServiceNow import set table use a syntax of u_XXXX. To make sure that you map your fields appropriate, select System Web Services in ServiceNow, and then select your import set table to find the Name column for the fields needed in this search.

This example assumes that assets in ServiceNow use hostnames as unique identifiers, but you might have a ServiceNow environment that uniquely identifies assets by serial number. In that case, modify the search so that each row in the results is uniquely identified by serial number.

After the search is running as you like, save the search and give it a name. For example, servicenow_server_asset_push.

Step 4: Schedule the search and configure the alert action

After you save the search, edit the schedule of the search and configure the alert action. For example, for the search example shown in the previous step, you might set it to run once per week. To schedule the search and configure the alert action, follow these steps:

1. In the Splunk platform, open the Edit Schedule dialog box to use the Trigger Actions.
2. Select + Add Actions and then select the ARI ServiceNow Sync action.
3. Configure the following fields:
   • Path: The ServiceNow URL path for the import set table. This doesn't include the base URL you entered into the ServiceNow configuration. The path might look like import/mytable where mytable is the name of the import set. The ServiceNow configuration URL and this path are linked together to form the full path of the table.
   • Key Field: The field to log as the unique key. In the search used in this example, you might use u_host_name as the key field because hostname is the inventory used.
   • Batch Size: The field indicating how many records to push at any one time. Splunk Asset and Risk Intelligence pushes data to ServiceNow in batches.

     You must set the batch size to at least 2 or at most 200.

   • Debug: The field that allows debug logging output from the alert action. Uncheck this field unless you run into troubleshooting issues.
   • Filter Blanks: The field to determine whether or not to send empty values to ServiceNow. Turn on this option to if you don't want to send empty values.
   • Dry Run: The dry run option performs all of the sync steps other than pushing the asset data. This field is useful for validating authentication.

After you configure and save the alert action, you can find assets in ServiceNow the next time the search runs. You can't run the search manually and activate the alert action. To force the search to run, schedule the search to run in 2 minutes, save it, and then let it run the alert action. After everything is validated, schedule the search back to a more suitable timeframe and frequency.

You can configure only one ServiceNow environment using the configuration sync in Splunk Asset and Risk Intelligence.

Monitor the ServiceNow sync alert action in Splunk Asset and Risk Intelligence

In Splunk Asset and Risk Intelligence, you can monitor any configured searches that use the ServiceNow sync alert action using the ServiceNow sync summary dashboard. Access the dashboard in Splunk Asset and Risk Intelligence by selecting Admin then Integrations and then ServiceNow sync summary.

The dashboard contains the following data: