Splunk® App for ServiceNow

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Install the Splunk App for ServiceNow on Splunk Enterprise

This topic covers how to install the Splunk App for ServiceNow on a Splunk Enterprise on-premises deployment. Looking for Splunk Cloud instructions? See "Install the Splunk App for ServiceNow on Splunk Cloud".

Download the app and the add-on

The Splunk App for ServiceNow relies on an add-on to handle the data input logic. You can download both the app and the add-on on Splunkbase.

  • Splunk App for ServiceNow version 4.0.1. If you are migrating from an existing installation of the Splunk App for ServiceNow that is earlier than version 4.0.0, install the 4.0.1 version as a new app. This version has a new package name, so it does not replace the 3.X version in your environment.
  • Splunk Add-on for ServiceNow version 2.8.0 or later. If you are migrating from an existing installation of the Splunk Add-on for ServiceNow, you can upgrade the add-on in place. The new version of the add-on is backwards compatible with older versions.

Install on a single instance

If your Splunk Enterprise deployment is a single instance, install both the app and the add-on to your single instance.

1. Use the Install app from file feature in the Manage Apps page in Splunk Web to install both packages, or install manually using the command line.

2. After you restart Splunk Enterprise, you may be prompted to set up the add-on. Choose Set up later because you will perform your setup through the app rather than the add-on.

3. Proceed to "Set up the Splunk App for ServiceNow" for the next step.

Install on a distributed deployment

If your Splunk Enterprise deployment is distributed, follow these steps.

  1. Deploy both the app and add-on to your search heads.
  2. Deploy the add-on to a heavy forwarder.
  3. (Optional) Run the remote target command to connect your forwarder to your search heads. This step supports easy app configuration from the search head.
  4. If you did not run the remote target command, configure ServiceNow credentials on your search heads using the add-on.
  5. Turn off add-on visibility on your search heads.
  6. If you are deploying the add-on in an indexer cluster, distribute the summary index configuration bundle across clustered indexers.
  7. If you are migrating from a previous version of the app, read the migration guide.

Deploy the app and the add-on to your search heads

If you are deploying to one or more individual search heads, follow your preferred method of deploying both the app and the add-on.

  • Follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • Install manually using the command line.
  • Use a deployment server to deploy the unconfigured packages to your search heads. Do not configure the app or add-on prior to deploying it.

If you are deploying to a search head cluster:

1. Make the following changes to the add-on package to avoid validation errors:

  • Remove the eventgen.conf files in the default folder, and all files in the samples folder.
  • Remove the default/inputs.conf file.

2. Install the app and the add-on using the deployer. See "Use the deployer to distribute apps and configuration updates" in the Distributed Search manual in the Splunk Enterprise documentation.

Deploy the add-on to a heavy forwarder

Follow your preferred method of deploying the Splunk Add-on for ServiceNow to your heavy forwarders. You can:

  • follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • install manually using the command line.
  • use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

Note: The add-on does not support universal forwarders because the configuration logic handled by the add-on requires Python.

Run the remote target command to connect your search head and forwarder (optional)

The Splunk App for ServiceNow offers the ability to manage your configuration and inputs in the app on your search heads rather than through the add-on on your forwarder. This means that, after you install all the components and perform the steps in this section, you do not need to manage any configuration from your forwarder. Instead, you can configure everything from the search head and the Splunk platform pushes all your configuration parameters to your forwarder. The forwarder receives the configuration information and performs the data collection and parsing as it normally would.

This procedure is optional. If you do not choose to use it, perform all configuration activity on a heavy forwarder using the add-on and do not use the Configure tab in the app on your search heads. Using the Configure tab in the app without running this command causes any configurations made there to be stored on your search head, leading to potential conflicts or duplicated inputs.

To use this remote target command, port 8089 of your heavy forwarder must be accessible from your search head. If you have proxies, firewalls, or security group inbound settings blocking this access, adjust those settings before you proceed or do not use this procedure.

To connect your search head and forwarder with the remote target command, perform the following steps on each search head, even if you have a search head cluster. If you are on Windows, replace all forward slashes with backslashes.

1. Open terminal and run

cd $SPLUNK_HOME/bin 

2. To set your forwarder as the remote target of the search head, run

./splunk cmd python ../etc/apps/splunk_app_servicenow/bin/cli/targets_helper.py -set -host <search_head_ip> -port <search_head_mgmt_port> -username <username> -password <password> -t_host <target_forwarder_ip> -t_username <target_username> -t_password <target_password> -t_port <target_mgmt_port>

3. To show the result, run

./splunk cmd python ../etc/apps/splunk_app_servicenow/bin/cli/targets_helper.py -get -username <username> -password <password>

Example:

$ cd $SPLUNK_HOME/bin
$ ./splunk cmd python ../etc/apps/splunk_app_servicenow/bin/cli/targets_helper.py -set -host 10.66.130.123 -port 8089 -username shuser -password shpassword -t_host 10.66.130.200 -t_username fwduser -t_password fwdpassword -t_port 8089
$ ./splunk cmd python ../etc/apps/splunk_app_servicenow/bin/cli/targets_helper.py -get -username shuser -password shpassword
============================
10.66.130.200
============================
username=fwduser
eai:appName=splunk_app_servicenow
eai:userName=nobody
port=8089
password=fwdpassword
disabled=0
$

If, instead of a result statement like the one shown above, you see a "connection refused" error, check that your heavy forwarder is running and try again. If you see a "connection timed out" error, verify that the target port is accessible.

If you need to remove the remote target configuration at any time, you can run a removal command from the $SPUNK_HOME/bin directory on each search head.

./splunk cmd python ../etc/apps/splunk_app_servicenow/bin/cli/targets_helper.py -remove -username <username> -password <password> -t_host <target_forwarder_ip>

Configure ServiceNow credentials on your search heads

If you ran the remote target command in the previous section, you can skip this section. You do not need to configure credentials separately on your search head and forwarder. You can perform configuration normally as described in "Set up the Splunk App for ServiceNow".

If you did not run the remote target command, you must supply your credentials for your ServiceNow account manually on your search heads to permit search-time push integration with ServiceNow. If you skip this step, the custom commands, alert actions, and alert-triggered scripts do not function.

Do not use the Configure tab in the app to configure your ServiceNow account credentials on your search heads. Instead, follow the instructions in "Set up the Splunk Add-on for ServiceNow" in the Splunk Add-on for ServiceNow manual, part of the Supported Add-ons documentation.

Note: If you have a search head cluster, you must be using Splunk platform 6.3.X in order to be able to handle credentials on your search heads.

Turn off visibility for the add-on on your search heads

Change the visibility setting for the add-on on each search head to make it not visible. This step helps prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.

1. Go to Apps > Manage Apps.

2. Find the Splunk Add-on for ServiceNow, with the folder name Splunk_TA_snow, in the list, and click Edit properties.

3. Under Visible, click the radio button next to No.

4. Click Save.

5. Repeat these steps on all search heads.

Distribute the summary index configuration bundle across clustered indexers

If you are deploying the add-on in an indexer cluster, perform the following steps:

  1. On the indexer cluster master node, copy indexes.conf from $SPLUNK_HOME/etc/apps/splunk_app_servicenow/default to $SPLUNK_HOME/etc/master-apps/_cluster/local.
  2. On the master node, run this CLI command to distribute the indexes.conf" to the peer nodes:
    splunk apply cluster-bundle

    When the configuration bundle distribution is complete, the indexes.conffile is copied to $SPLUNK_HOME/etc/slave-apps/_cluster/local on the peer nodes.

Migrate your data from a previous version

If you are migrating from a version of the app that is 3.X or older, see "Migrate from a community-supported version of the Splunk App for ServiceNow" for important information that affects your setup and use of the new app.

PREVIOUS
Install the Splunk App for ServiceNow on Splunk Cloud
  NEXT
Migrate from a community-supported version of the Splunk App for ServiceNow

This documentation applies to the following versions of Splunk® App for ServiceNow: 4.0.1, 4.0.2, 4.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters