Installing a forwarder on ServiceNow

Path Finder

I have been tasked to "integrate" ServiceNow with a Splunk instance. We have a server where Splunk is installed and there is a separate machine where ServiceNow is installed. The people that are requesting this want to use the ServiceNow app. I have no experience with ServiceNow. I installed a universal forwarder on the ServiceNow server. So I hvae a couple questions...
Does the app still work with a forwarder? Or should I install a regular Splunk instance on the ServiceNow server and forward it to my regular search head?

Thanks in advance.

0 Karma



We have just build just that and so much more. SkyFormation Extend (c) for Splunk extracts security events from multiple
business cloud applications (e.g. Salesforce, Google App, ServiceNow, Office 365,AWS,...) and transforms them to unified and actionable events sent to your Splunk or other SIEM solution.

No more cloud applications integration or classification worries, and all in unified form for easiest correlations and investigation across apps.

SkyFormation is a Java app you can install at on-premise on any machine you want, and it will take you 5 minutes to set it up.

Please have a look at:

Feel more then welcome to ask me any question at



The Splunk for ServiceNow add-on is just a custom search command ("snow") for your users to use.

you should install the add-on on the Splunk host your users are using for searching (if they're using a search head, install it there), and install the universal forwarder on the ServiceNow server (as you've done) and forward the ServiceNow logs to your main Splunk instance.

unrelated, but there are some notes in the Documentation tab for the ServiceNow add-on that might be useful for your users:

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!