Send alert notifications to ServiceNow using Splunk Observability Cloud 🔗
You can configure Splunk Observability Cloud to automatically send alert notifications to ServiceNow when a detector alert condition is met and when the alert clears.
To send Observability Cloud alert notifications to ServiceNow, complete the following configuration tasks:
Step 1: Create a ServiceNow user for your Observability Cloud integration
You must be a ServiceNow administrator to complete this task.
Step 2: Create a ServiceNow integration in Observability Cloud
You must be an Observability Cloud administrator to complete this task.
Step 3: Add a ServiceNow integration as a detector alert recipient in Observability Cloud
Step 1: Create a ServiceNow user for your Observability Cloud integration 🔗
In this step, you create a ServiceNow user that you can use to receive alert notifications from Observability Cloud. You must be a ServiceNow administrator to complete this task.
If you have an existing ServiceNow user that you want to use to receive alert notifications, the user has the web_service_admin and itil roles assigned, and you know the user ID and password, you can skip to Step 2: Create a ServiceNow integration in Observability Cloud.
To set up a ServiceNow user for your Observability Cloud integration:
Log in to ServiceNow.
In the left navigation panel, scroll to User Administration and select Users.
Select New.
Enter User ID, First name, and Last name values that clearly communicate that the user is associated with Splunk Observability Cloud notifications. Make note of the User ID value for use in subsequent steps.
Enter a Password value. Make note of this value for use in Step 2: Create a ServiceNow integration in Observability Cloud.
Select the Active check box.
Select Submit.
Find your new user by either searching for the user ID or doing a reverse chronological sort on the Created column. Select the user ID to open the user information window. Scroll down and select the Roles tab. Select Edit.
In the Collection search field, enter web_service_admin. Select the web_service_admin role and select > to move it the Roles List panel.
Similarly, in the Collection search field, search for itil. Select the itil role and select > to move it the Roles List panel.
Select Save. web_service_admin and itil display on the Roles tab for the user, possibly along with other additional roles.
Step 2: Create a ServiceNow integration in Observability Cloud 🔗
You must be an Observability Cloud administrator to complete this task.
To create a ServiceNow integration in Observability Cloud:
Log in to Splunk Observability Cloud.
Open the ServiceNow guided setup . Optionally, you can navigate to the guided setup on your own:
In the left navigation menu, select
.Select Add Integration.
In the integration filter menu, select All.
In the Search field, search for ServiceNow, and select it.
Select New Integration to display the configuration options.
By default, the name of the integration is ServiceNow. Give your integration a unique and descriptive name. For information about the downstream use of this name, see About naming your integrations.
In the Username field, enter the user ID from ServiceNow in Step 1: Create a ServiceNow user for your Observability Cloud integration.
In the Password field, enter the password from ServiceNow in Step 1: Create a ServiceNow user for your Observability Cloud integration.
In the Instance Name field, enter your ServiceName instance name. For example, the instance name must use the format
example.service-now.com
. Do not include a leadinghttps://
or a trailing/
. Additionally, you cannot use local ServiceNow instances.To troubleshoot potential blind server-side request forgeries (SSRF), Observability Cloud has included
\*.service-now.com
on an allow list. As a result, if you enter a domain name that is rejected by Observability Cloud, contact Splunk Observability Cloud support to update the allow list of domain names.Select Incident, Problem, or Event to indicate the issue type you want the integration to create in ServiceNow. If necessary, you can create a second integration using the other issue type. This lets you create an incident issue for one detector rule and a problem issue for another detector rule.
Save.
If Observability Cloud can validate the ServiceNow username, password, and instance name combination, a Validated! success message displays. If an error displays instead, make sure that the values you entered match the values in ServiceNow.
Step 3: Add a ServiceNow integration as a detector alert recipient in Observability Cloud 🔗
To add a ServiceNow integration as a detector alert recipient in Observability Cloud:
Create or edit a detector that you want to configure to send alert notifications using your ServiceNow integration.
For more information about working with detectors, see Create detectors to trigger alerts and Subscribe to alerts using the Detector menu.
In the Alert recipients step, select Add Recipient.
Select ServiceNow and then select the name of the ServiceNow integration you want to use to send alert notifications. This is the integration name you created in Step 2: Create a ServiceNow integration in Observability Cloud.
Activate and save the detector.
Observability Cloud sends an alert notification to create an incident in ServiceNow when the detector triggers an alert. When the alert clears, it sends a notification that sets the incident state to Resolved.
For Incident and Problem issues, the ServiceNow integration sets the Impact and Urgency fields on the ServiceNow issue based on the Observability Cloud alert severity (see Severity).
The following table shows the Observability Cloud severity for Incident and Problem issues:
Observability Cloud severity |
ServiceNow Impact and Urgency fields |
---|---|
Critical |
1 |
Major or Minor |
2 |
Warning or Info |
3 |
For Event issues, the ServiceNow integration sets the Severity of the issue based on the Observability Cloud alert severity (see Severity).
The following table shows the Observability Cloud severity for Event issues:
Observability Cloud severity |
ServiceNow Severity field |
---|---|
Clear |
0 |
Critical |
1 |
Major |
2 |
Minor |
3 |
Warning |
4 |
Info |
5 |