Content Pack for ServiceNow

Content Pack for ServiceNow

Install and configure the Content Pack for ServiceNow

Follow these high-level steps to configure the Content Pack for ServiceNow`:

  1. Install and configure the Splunk Add-on for ServiceNow.
  2. Install the Content Pack for ServiceNow.
  3. Enable your ServiceNow entity searches.
  4. Configure KPI thresholds.

Prerequisites

  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual
  • Create a full backup of your ITSI environment in case you need to uninstall the content pack later. For more information, see Create a full backup in the Administration Manual.
  • Install the dendogram custom visualization apps from Splunkbase to ensure the visualizations display in this content pack. Download the Dendogram Viz from Splunkbase.

Install and configure the Splunk Add-on for ServiceNow

This content pack depends on data collected in the Splunk Add-on for ServiceNow. You can safely install add-ons on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads. Note, these add-ons have to be installed on search heads in a distributed deployment. Download the latest version of the Splunk Add-on for ServiceNow from Splunkbase. For installation and configuration steps, see the Splunk Add-on for ServiceNow documentation.

Install the Content Pack for ServiceNow

The Content Pack for ServiceNow is automatically available for installation once you have installed the Splunk App for Content Packs on the search head. For steps to install the Splunk App for Content Packs, see Install the Splunk App for Content Packs. After you install the Splunk App for Content Packs, you can follow these steps install the content pack:

  1. From the ITSI main menu, click Configuration > Data Integrations.
  2. Select the Content Library tab.
  3. Select the ServiceNow content pack.
  4. Review what's included in the content pack and then click Proceed.
  5. Configure the settings:
    • Choose which objects to install: For a first-time installation, select the items you want to install and deselect any you're not interested in. For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version or install all objects.
    • Choose a conflict resolution rule for the objects you install: For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from these options:
      • Install as new: Any existing identical objects in your environment remain intact.
      • Replace existing: Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    • Import as enabled: Select whether to install objects as enabled or leave them in their original state. We recommend that you import objects as disabled to ensure your environment doesn't break from the addition of new content. This setting only applies to services, correlation searches, and aggregation policies. All other objects, such as KPI base searches and saved searches, are installed in their original state regardless of the option you choose.
    • Modify status of saved searches: This option will be displayed only if the content pack contains saved searches. By default, saved searches included in a content pack are in deactivated state. Within this configuration, you have the flexibility to perform the following operations:
      • Activate all saved searches: By selecting this option, you can activate all the saved searches associated with the content pack.
      • Deactivate all saved searches: By selecting this option, you can deactivate all the saved searches associated with the content pack.
      • Retain current status of saved searches: This option allows you to preserve the existing status of the saved searches within the content pack.
    • Add a prefix to your new objects: Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects after installation.
    • Backfill service KPIs: Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and predictive analytics for the new services. This setting only applies to KPIs, not service health scores.
  6. When you've made your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were installed in your environment and the status of the saved searches. A green checkmark on the Data Integrations page indicates which content packs you've already installed. The tile shows the current status of all the saved searches of the content pack.

(Optional) Update the Macros defined in the content pack

You must have the admin role to update macros

Steps

  1. From Splunk Web, select Settings > Advanced Search > Search Macros.
  2. Update the macro:
  3. Date resolved Issue number Description
    itsi-cp-servicenow-indexes index=* This macro is used to get the data from the indexes where serviceNow data are ingested.

    You can update the macro with custom indexes using all of the indexes that you're using for data collection from add-ons combined with OR operators.
    For example: index=<index-name-1> OR <index-name-2>
    Note: You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Windows to your Splunk platform deployment.

    itsi-cp-servicenow-search-range earliest=-30d This macro specifies the time range over which the searches of the content pack will run..

    It is not recommended to update the macro.

  4. Click Save.

Enable your ServiceNow entity searches

There are four entity discovery searches included with this content pack. They are disabled by default. When you ready to get your data in, follow these steps to enable the entity discover searches for ServiceNow.

  1. In Splunk Enterprise go to Settings > Searches, reports, and alerts.
  2. In the Type dropdown, select All.
  3. In the App dropdown, select Content Pack for Service Now (DA-ITSI-CP-SERVICENOW).
  4. In the Owner dropdown, select All.
  5. These entity discovery searches are available to enable:
    • ITSI Import Objects - SNOW_CMDB
    • ITSI Import Objects - SNOW_Change_Requests
    • ITSI Import Objects - SNOW_Events
    • ITSI Import Objects - SNOW_Incidents
  6. Select Edit > Enable for each search you want to enable.

When you've finished enabling the entity searches to import your entities, go to the Service Analyzer > Default Analyzer to see your services and KPIs light up.

Content pack objects are disabled by default on import. If you didn't toggle the option to import the content pack objects as enabled you have to enable them under Configuration > Services. Once you have enabled the services the Service Analyzer will light up.

Configure KPI thresholds

Some KPIs in this content pack have predetermined aggregate and per-entity thresholds configured. Go through the KPIs in each service and configure the aggregate and per-entity thresholds values to reasonable defaults based on your use case. For steps to configure KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights manual.

For a full list of the KPIs in this content pack, see KPI reference for the Content Pack for ServiceNow.

KPI alerting

Because acceptable application performance varies widely per use case, KPI alerting isn't enabled by default in this content pack. To receive alerts for KPIs when aggregate KPI threshold values change, see Receive alerts when KPI severity changes in ITSI. ITSI generates notable events on the Episode Review page based on the alerting rules you configure.

Next steps

Now that you have installed and configured the Content Pack for ServiceNow, you can start using the dashboards and visualizations in the content pack to monitor your web applications. For instructions for using the content pack, see Use the Content Pack for ServiceNow.

Last modified on 06 July, 2023
Release Notes for the Content Pack for ServiceNow   Upgrade to version 1.1.0 of the Content Pack for ServiceNow

This documentation applies to the following versions of Content Pack for ServiceNow: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters