Splunk® App for ServiceNow

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Migrate from a community-supported version of the Splunk App for ServiceNow

The Splunk App for ServiceNow version 4.X has a new folder name, making it function in the Splunk platform as a brand new app compared to the 3.X and earlier versions. If you have a pre-4.0.0 version of the app installed, you cannot upgrade directly from that version to the latest version, but must instead follow this migration guide.


Before you can follow any migration steps, you must have followed all steps in the installation guide that applies to your environment. Installing the 4.X version of the app does not override the 3.X version, because they have different folder names. The two apps can exist side by side while you perform your migration steps. After you are finished migrating, you can disable the 3.X app.

Differences in functionality

If you have been using the Splunk App for ServiceNow version 3.X, be aware of the following differences in functionality in 4.X:

  • You can now configure your accounts and inputs using the Splunk App for ServiceNow, using a Splunk account with administrator access. Previously, this configuration was only available through the add-on. See "Set up the Splunk App for ServiceNow" for instructions on accessing and using the Configure tab, visible to Splunk administrators.
  • You can continue to configure accounts and inputs using the Splunk Add-on for ServiceNow. The add-on allows you configure a custom index for your ServiceNow data inputs, but this setting is not exposed in the Splunk App for ServiceNow configuration UI. Any configurations you save through the add-on are synced automatically with your app.

Some additional functional differences may apply, depending on your environment.

  • If you are a Splunk Cloud user, and you have been using on-premises forwarders for data collection for the Splunk App for ServiceNow 3.X, this is no longer required for 4.X. You can configure your ServiceNow account and data inputs directly in your Splunk Cloud instance using the Configure tab in the app, which you can see if you are a member of the administrator role in Splunk Cloud.
  • If you are an on-premises, distributed deployment Splunk Enterprise user, the 4.X app introduces a significantly different configuration option. The Splunk App for ServiceNow now offers the ability to manage the configuration of your ServiceNow account and inputs via the app UI on your search head, so you can manage your accounts and inputs from within the app rather than configuring inputs on your heavy forwarders using the Splunk Add-on for ServiceNow. See "Install on a distributed deployment" in the Installation and Configuration Manual for details about using this option in a distributed deployment.

Migrate your existing input configurations

If you have existing inputs configured, you can view and edit them through the 4.X app. Follow the migration guide in the Splunk Add-on for ServiceNow to make adjustments to selected inputs based on a change in database table names.

Any inputs that you have enabled through the add-on will show up as enabled in your app, and likewise any inputs that you have disabled in your add-on will be disabled in your app. However, if you go to the Configure > Account setup screen in the app and re-save your account information, the app enables all inputs, including any custom ones that you created, immediately upon saving. If you need to edit your account and do not want to enable all inputs, click Configure > Data inputs to disable those you do not want to collect after you save your new account information.

Note: If you are using the app on an on-premises distributed Splunk Enterprise, use the Configure tab in the app only on your data collection node, or run the remote target command to connect your search heads with your heavy forwarder so that you can use the Configure tab from your search heads without creating duplicate inputs.

Migrate your custom dashboards

If you created any custom dashboards in previous versions of the app, migrate them to the new app.

1. Copy all dashboard xml files under $SPLUNK_HOME/etc/apps/snow_event_management/local/data/ui/views to $SPLUNK_HOME/etc/apps/splunk_app_servicenow/local/data/ui/views.

2. Modify $SPLUNK_HOME/etc/apps/splunk_app_servicenow/default/data/ui/nav/default.xml to include the custom views.

For any other customized knowledge objects, such as macros, saved searches, or alerts, the same process applies. Copy the object files or stanzas from the old version of the app to the equivalent file in the new app.

If you are using Splunk Cloud and cannot access the file system, contact support for assistance.

After you have migrated all your inputs, dashboards, and any other custom content, you can safely disable and remove the old app.

Install the Splunk App for ServiceNow on Splunk Enterprise
Set up the Splunk App for ServiceNow

This documentation applies to the following versions of Splunk® App for ServiceNow: 4.0.1, 4.0.2, 4.0.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters