All Apps and Add-ons

Understanding Servicenow Transaction Logs from Splunk through SN REST API

New Member

Hello -

I'm overall a novice to Splunk as my focus is more on ServiceNow Admin.   But I'm trying to get a better high level understanding how Splunk is working with our SN environment and Event Management to better help support when Splunk/Event Management issues crop up.

I haven't had a chance to discuss further with our local support who integrated/setup this last year with a outside vendor's support.  So I thought I'd ask here.  We have Splunk setup (using SN Splunk add-on) to create events  in ServiceNow.   We have a local Splunk account with the proper Splunk role and access to the rest api.  And all seems to work from what I understand in most cases.  I'm just trying to understand what the transaction logs are telling me.   

Splunk seems to create a large number of transactions during the day.   Many of them appear to be just looking at / scanning the em_event (note the URL without parameters) while a some others also include parameters (in the url query string. (/api/now/table/em_event?sysparm_exclude_reference_link=true&sysparm_query=sys_created_on......) 

What would be causing the splunk rest api transaction where there are no parameters being passed?  Is this normal?   From what I understand, the transactions with parameters would be coming from Splunk where our splunk admin setup such a query. 

Just trying to get a clearer picture on this part of the integration. 



SN Transaction LogSN Transaction Log

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...