Docs » Send alert notifications to third-party services using Splunk Observability Cloud » Send alert notifications to ServiceNow using Splunk Observability Cloud

Send alert notifications to ServiceNow using Splunk Observability Cloud 🔗

You can configure Splunk Observability Cloud to automatically send alert notifications to ServiceNow when a detector alert condition is met and when the alert clears.

To send Splunk Observability Cloud alert notifications to ServiceNow, complete the following configuration tasks:

Step 1: Choose the type of ServiceNow issue for your integration 🔗

Before you set up the integration, choose a ServiceNow issue type from the following table:

Issue type

Role needed

Problem

user_admin, itil

Incident

user_admin, itil

Event

None

Make note of the role that corresponds to your issue type before proceeding with Step 2: Create a ServiceNow user for your Splunk Observability Cloud integration.

Note

The user_admin role is used to verify that ServiceNow has successfully created a Problem or Incident. The itil role is used to create Problems and Incidents when alerts are sent.

Step 2: Create a ServiceNow user for your Splunk Observability Cloud integration 🔗

In this step, you create a ServiceNow user that you can use to receive alert notifications from Splunk Observability Cloud. You must be a ServiceNow administrator to complete this task.

If you have an existing ServiceNow user that you want to use to receive alert notifications, the user has the roles assigned that correspond to your issue type, and you know the user ID and password, you can skip to Step 2: Create a ServiceNow user for your Splunk Observability Cloud integration.

To set up a ServiceNow user for your Splunk Observability Cloud integration:

  1. Log in to ServiceNow.

  2. In the left navigation panel, scroll to User Administration and select Users.

  3. Select New.

  4. Enter User ID, First name, and Last name values that clearly communicate that the user is associated with Splunk Observability Cloud notifications. Make note of the User ID value for use in subsequent steps.

  5. Enter a Password value. Make note of this value for use in Step 3: Create a ServiceNow integration in Splunk Observability Cloud.

  6. Select the Active check box.

  7. Select Submit.

  8. Find your new user by either searching for the user ID or doing a reverse chronological sort on the Created column. Select the user ID to open the user information window. Scroll down and select the Roles tab. Select Edit.

  9. In the Collection search field, enter the roles for the issue type you chose in Step 1: Choose the type of ServiceNow issue for your integration, for example, user_admin. Select the role and select > to move it the Roles List panel.

  10. Select Save. The new roles display on the Roles tab for the user.

Step 3: Create a ServiceNow integration in Splunk Observability Cloud 🔗

You must be a Splunk Observability Cloud administrator to complete this task.

To create a ServiceNow integration in Splunk Observability Cloud:

  1. Log in to Splunk Observability Cloud.

  2. Open the ServiceNow guided setup . Optionally, you can navigate to the guided setup on your own:

    1. In the left navigation menu, select Data Management.

    2. Select Add Integration.

    3. In the integration filter menu, select All.

    4. In the Search field, search for ServiceNow, and select it.

    5. Select New Integration to display the configuration options.

  3. By default, the name of the integration is ServiceNow. Give your integration a unique and descriptive name. For information about the downstream use of this name, see About naming your integrations.

  4. In the Username field, enter the user ID from ServiceNow in Step 2: Create a ServiceNow user for your Splunk Observability Cloud integration.

  5. In the Password field, enter the password from ServiceNow in Step 2: Create a ServiceNow user for your Splunk Observability Cloud integration.

  6. In the Instance Name field, enter your ServiceName instance name. For example, the instance name must use the format example.service-now.com. Do not include a leading https:// or a trailing /. Additionally, you cannot use local ServiceNow instances.

    To troubleshoot potential blind server-side request forgeries (SSRF), Splunk Observability Cloud has included \*.service-now.com on an allow list. As a result, if you enter a domain name that is rejected by Splunk Observability Cloud, contact Splunk Observability Cloud support to update the allow list of domain names.

  7. Select Incident, Problem, or Event to indicate the issue type you want the integration to create in ServiceNow. If necessary, you can create a second integration using the other issue type. This lets you create an incident issue for one detector rule and a problem issue for another detector rule. The following table shows the roles required to create each issue type:

  8. Save.

  9. If Splunk Observability Cloud can validate the ServiceNow username, password, and instance name combination, a Validated! success message displays. If an error displays instead, make sure that the values you entered match the values in ServiceNow.

Step 4: Add a ServiceNow integration as a detector alert recipient in Splunk Observability Cloud 🔗

To add a ServiceNow integration as a detector alert recipient in Splunk Observability Cloud:

  1. Create or edit a detector that you want to configure to send alert notifications using your ServiceNow integration.

    For more information about working with detectors, see Create detectors to trigger alerts and Subscribe to alerts using the Detector menu.

  2. In the Alert recipients step, select Add Recipient.

  3. Select ServiceNow and then select the name of the ServiceNow integration you want to use to send alert notifications. This is the integration name you created in Step 3: Create a ServiceNow integration in Splunk Observability Cloud.

  4. Activate and save the detector.

Splunk Observability Cloud sends an alert notification to create an incident in ServiceNow when the detector triggers an alert. When the alert clears, it sends a notification that sets the incident state to Resolved.

For Incident and Problem issues, the ServiceNow integration sets the Impact and Urgency fields on the ServiceNow issue based on the Splunk Observability Cloud alert severity (see Severity). When you clear alerts for Problem and Incident issues, Splunk Observability Cloud marks them as Resolved.

The following table shows the Splunk Observability Cloud severity for Incident and Problem issues:

Observability Cloud severity

ServiceNow Impact and Urgency fields

Critical

1

Major or Minor

2

Warning or Info

3

For Event issues, the ServiceNow integration sets the Severity of the issue based on the Splunk Observability Cloud alert severity (see Severity). The Event integration also creates an event whenever an alert is sent or cleared.

The following table shows the Splunk Observability Cloud severity for Event issues:

Observability Cloud severity

ServiceNow Severity field

Clear

0

Critical

1

Major

2

Minor

3

Warning

4

Info

5