The integration itself is working as expected with ServiceNow but I have run several testing scenarios and I am finding some issues that don't seem to have solutions. 

1. Map a Splunk Team to ServiceNow group - works 

2. Change the name of the ServiceNow group (name changes are common)

The incident still routes to the correct group but when logging into the mapping settings, Splunk shows the old name and there is no option to edit it. You have to delete the mapping and start over. This is definitely not ideal.

3. Disable the group in ServiceNow to simulate a group that gets decommissioned. 

The integration will continue to map to the inactive group which isn't ideal but I can see why that could happen. Again there is no option to modify the mapping or an ability to see that mapping is associated to an inactive group. 

4. it doesn't appear as though Splunk will allow for a team to have no members but I wanted to confirm because I wanted to test sending an Incident from ServiceNow to see how Splunk would handle it if the group was mapped to empty team (Ex, all the team members leave the org)

If there is no way to keep things in sync this product is going to be very difficult to manage over time and may not be the solution we are looking for.