I am having some difficulty integrating my Splunk instances with ServiceNow, and I am getting conflicting information from the Splunk documentation as compared to the how the integration application works on the ServiceNow end. My organization has a fairly robust instance of ServiceNow, however we do not utilize it for the Security Incident Response plugin. We also do not use Event Managment. Both are an extra ServiceNow license, but only Event Management is mentioned in the Splunk documentation, and is supposedly not required. Is the Security Incident Response plugin (and license) required for ServiceNow integration (Jakarta) even if you are just trying to leverage Splunk integration for operational incidents?
I am using just the incident and CMDB integration - We don't have Events management or Incident Response either, so I think the answer to your question is no.
We have found that the Splunk incident integration has not quite met our needs, as we need to raise tickets against individuals and business services (the plugin only allows groups and CI's) so I have had to amend it to support these requirements.
My ServiceNow admin is telling me that the splunk integration application forces you to install the security incident response plugin which would put us in violation of licensing. Most things I have read do not seem to mention that. Are you running Jakarta and can you confirm that the plug in is not installed? I would love to be able to generate incidents even just based on groups.