I have been tasked to "integrate" ServiceNow with a Splunk instance. We have a server where Splunk is installed and there is a separate machine where ServiceNow is installed. The people that are requesting this want to use the ServiceNow app. I have no experience with ServiceNow. I installed a universal forwarder on the ServiceNow server. So I hvae a couple questions...
Does the app still work with a forwarder? Or should I install a regular Splunk instance on the ServiceNow server and forward it to my regular search head?
We have just build just that and so much more. SkyFormation Extend (c) for Splunk extracts security events from multiple
business cloud applications (e.g. Salesforce, Google App, ServiceNow, Office 365,AWS,...) and transforms them to unified and actionable events sent to your Splunk or other SIEM solution.
No more cloud applications integration or classification worries, and all in unified form for easiest correlations and investigation across apps.
SkyFormation is a Java app you can install at on-premise on any machine you want, and it will take you 5 minutes to set it up.
The Splunk for ServiceNow add-on is just a custom search command ("snow") for your users to use.
you should install the add-on on the Splunk host your users are using for searching (if they're using a search head, install it there), and install the universal forwarder on the ServiceNow server (as you've done) and forward the ServiceNow logs to your main Splunk instance.