I'm overall a novice to Splunk as my focus is more on ServiceNow Admin. But I'm trying to get a better high level understanding how Splunk is working with our SN environment and Event Management to better help support when Splunk/Event Management issues crop up.
I haven't had a chance to discuss further with our local support who integrated/setup this last year with a outside vendor's support. So I thought I'd ask here. We have Splunk setup (using SN Splunk add-on) to create events in ServiceNow. We have a local Splunk account with the proper Splunk role and access to the rest api. And all seems to work from what I understand in most cases. I'm just trying to understand what the transaction logs are telling me.
Splunk seems to create a large number of transactions during the day. Many of them appear to be just looking at / scanning the em_event (note the URL without parameters) while a some others also include parameters (in the url query string. (/api/now/table/em_event?sysparm_exclude_reference_link=true&sysparm_query=sys_created_on......)
What would be causing the splunk rest api transaction where there are no parameters being passed? Is this normal? From what I understand, the transactions with parameters would be coming from Splunk where our splunk admin setup such a query.
Just trying to get a clearer picture on this part of the integration.
SN Transaction Log