Archive

Splunk and ServiceNow event management options and a few questions

Engager

HI ,

Could someone please help me know how I can integrate Splunk and ServiceNow for Events? I followed few articles available , it suggests to use a free App called Splunk plugin for Service-Now . I wanted to know if this is the only way to do this integration? we are testing this and facing some issues after configuring everything as mentioned in the help documents. Cant see any event in Servicenow Event Management table. It seems integration is not working.
I have couple of questions :

1) Do I need to create an intermediate table(form) to fetch the data from Splunk to ServiceNow?
2) Do I have to make validations before pushing the data to event table.
3) Do I need to use Web Services as an integration technique to achieve it? Need to create a web service and publish it?
4) How would I check if the data is flowing in-between these two applications?
5) How would I establish connection between these two applications?

Right now I am testing on Istanbul version of Servicenow . But we have Jakarta version in production. As checked Splunk App is not compatible with the latest Servicenow . Servicenow Team says that Splunk App is under some testing . Can someone let me know when it would be available?

Thanks
Sbat

0 Karma
1 Solution

Champion

1) Do I need to create an intermediate table(form) to fetch the data from Splunk to ServiceNow?
The best way to do this and something I have done is to have the service now available as a rest api, servicenow by default comes with rest api services. Now, the event / alert from which you want to create incidents from splunk to servicenow merely needs to pass the required fields into the servicenow api. Please read a bit more on workflow and alerts in splunk documentation
2) Do I have to make validations before pushing the data to event table.
Yes, your data in the Splunk index might be in a different format from the servicenow events table. make sure that the field formats are matching before you invoke and pass data into the serviceno api.
3) Do I need to use Web Services as an integration technique to achieve it? Need to create a web service and publish it?
No, Servicenow comes with a vanilla rest api services
4) How would I check if the data is flowing in-between these two applications?
No easy way, but once a event / alert comes in splunk which should create an entry into the servicenow it should create it. Also, ask servicenow admin team to create a user something like splunkuser, from the audit records in thevent table you should be able to get the entries created by splunkuser.
5) How would I establish connection between these two applications?
REST api. Splunk (invokes) > Servicenow RESTAPI > Splunk passes all required keys and required field info using the GET method > submits entry to the servicenow API

View solution in original post

Splunk Employee
Splunk Employee

Hey @Sbataccount, If @Sukisen1981 provided what you needed to know for your questions please remember to accept the answer to award karma points and close the question.

0 Karma

Champion

1) Do I need to create an intermediate table(form) to fetch the data from Splunk to ServiceNow?
The best way to do this and something I have done is to have the service now available as a rest api, servicenow by default comes with rest api services. Now, the event / alert from which you want to create incidents from splunk to servicenow merely needs to pass the required fields into the servicenow api. Please read a bit more on workflow and alerts in splunk documentation
2) Do I have to make validations before pushing the data to event table.
Yes, your data in the Splunk index might be in a different format from the servicenow events table. make sure that the field formats are matching before you invoke and pass data into the serviceno api.
3) Do I need to use Web Services as an integration technique to achieve it? Need to create a web service and publish it?
No, Servicenow comes with a vanilla rest api services
4) How would I check if the data is flowing in-between these two applications?
No easy way, but once a event / alert comes in splunk which should create an entry into the servicenow it should create it. Also, ask servicenow admin team to create a user something like splunkuser, from the audit records in thevent table you should be able to get the entries created by splunkuser.
5) How would I establish connection between these two applications?
REST api. Splunk (invokes) > Servicenow RESTAPI > Splunk passes all required keys and required field info using the GET method > submits entry to the servicenow API

View solution in original post