All Apps and Add-ons
Highlighted

Why do we need a ServiceNow add-on on a search head?

Contributor

Hi,

I will be configuring service now in splunk distributed cloud environment. I have gone through documentation and still, I have few questions:

  1. Why we need service now add-on on search head as well? Is it not possible to have add-on on Heavy forwarder alone and service now app on Search head...
  2. I am using OMS app as well in Heavy forwarders which connect and receive input from port 443 so can I also receive Service now data in forwarder using same 443 port?
  3. Splunk service now add-on is for input setup and service now app is for dashboards i.e. data to be visualized..is my understanding correct?
0 Karma
Highlighted

Re: Why do we need a ServiceNow add-on on a search head?

Splunk Employee
Splunk Employee
  1. The Add-ons contain lookups and field extractions that happen at search time. If you have it at the Heavy Forwarder layer it will handle the inputs (data onboarding) and some index time field extractions but won't do the search time extractions or lookups.
  2. You don't need to specify a port on Splunk to use. It's a REST API input. That is a pull from your ServiceNow system so it's whatever port (likely 443) that your ServiceNow site uses. Just follow the instructions from our add-on and you should be good. http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/About
  3. That is a correct statement for most Add-on vs App discussions. Some add-ons like this one will also do a little more than just inputs. This add-on also contains lookups to convert any cryptic field values to human readable text and do the field extractions which make the dashboards populate nicely. The Add-on also contains a few pre-built panels if you want to build your own dashboards and it contains some alerts actions if you want to send data back to ServiceNow.

View solution in original post

0 Karma
Highlighted

Re: Why do we need a ServiceNow add-on on a search head?

Contributor

Thank you so much @aivarson_splunk
Yes, I want to send data back to service now and it can happen through service now add-on (in SH) correct?
can you please suggest port for service now data to collect in heavy forwarder.

0 Karma
Highlighted

Re: Why do we need a ServiceNow add-on on a search head?

Splunk Employee
Splunk Employee

Is this your own Splunk running in the cloud or SplunkCloud (our SaaS product)? If it is your Splunk in the cloud (Bring your own license) then you can do it from the SH. If it is our SplunkCloud the current solution is to configure an on-premise Search Head and put it in Hybrid Search Mode to perform your alert actions.

Correction to #2 above. You don't need to specify a port on Splunk to use. It's a REST API input. That is a pull from your ServiceNow system so it's whatever port (likely 443) that your ServiceNow site uses. Just follow the instructions from our add-on and you should be good. http://docs.splunk.com/Documentation/AddOns/released/ServiceNow/About

0 Karma
Highlighted

Re: Why do we need a ServiceNow add-on on a search head?

Contributor

I am using virtual machines(windows os) on azure cloud where splunk is installed.
thanks.

0 Karma