Getting Data In

Anyone used Splunk add-on for servicenow to send data from Splunk to Servicenow

Roy99
Communicator

I have a usecase to send data from splunk to snow, I noticed there are a bunch of scripts available in servicenow add-on, did anyone tried this effort?

please let me know your thoughts.

0 Karma
1 Solution

Roy99
Communicator

Hope this might help anyone who wants to implement this usecase.

1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.

2. Develop a script which can send data into Servicenow.

3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)

 

 

 

View solution in original post

Roy99
Communicator

Hope this might help anyone who wants to implement this usecase.

1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.

2. Develop a script which can send data into Servicenow.

3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)

 

 

 

View solution in original post

Roy99
Communicator

Thanks @isoutamo for your response,Yes we have installed the splunk add-on for servicenow,
We have a report that we would like to post to a CMDB table in snow.
Under report -->Trigger-->we selected Servicenow Incident integration and passed the account and api end point details, but the data is not posting to the CMDB table, instead it is hitting to the temp table and all the fields which we pass are blank in that temp table and seeing a error message on the last column of that temp table.

Any advise or suggestions would be helful.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You have check that snow + splunk versions match what is required and also installed those services/packages (or what ever that term was) on snow side? Also required users are created and granted rights to use to those services/tables on snow side?

r. Ismo

0 Karma

Roy99
Communicator

Yes, both are running on the updated versions  and in order to set up an account in Splunk, a service account was set up in servicenow and all necessary privileges has been granted to that account.

So we configured this add-on using the account provided by servicenow.

We were able to successfully ingest data from servicenow to splunk but the problem we are facing is sending the data from splunk to servicenow

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This sounds like there is still something undone on snow side (missing rights or integration package). What your logs said when you try to update snow?

0 Karma

Roy99
Communicator

@isoutamo We are using splunk cloud and this add-on is installed on Splunk IDM. Usually we don't have privileges to update the add-on, we usually place a support ticket to update our apps and add-ons on IDM and SH.

I still doubt am i using the right option of Splunk add-on for Servicenow(Servicenow Incident Integration) for sending the data from Splunk to servicenow because majority of the users are using this add-on in getting the data into splunk from snow.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As this said https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/About you could also create incidents on Snow side, BUT this needs that your splunk-used which is configured into add-one must have needed rights for snow's internal tables / integration application to create those incident etc. into snow from SH(/C). Without those rights/integration application you can only query that data from Snow via REST api.

Those rights / integration application must enabled on ServiceNow side not on splunk side!

r. Ismo

0 Karma

Roy99
Communicator

yes @isoutamo , we have permissions for servicenow table, however when we are sending the data from the servicenow add-on in the form of incident, the data is not populating in servicenow table due to compatibility issues.(may be data format)

if this add-on feature is not an option, what are the other options that i can test with?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Unfortunately I haven't now access to any Splunk <-> ServiceNow environment to help you more with this issue. Let's hope that there is someone else who could continue with this.
0 Karma

Roy99
Communicator

@richgalloway Do you have any idea on this request? I got stuck with this and trying to figure out an option to send this data from splunk

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I have used some previous version of this https://splunkbase.splunk.com/app/1928/#/overview (2y ago?). At that time  it works ok, but you need to follow up those instructions and ensure that all versions match and also needed components and users are created on both side (splunk + SNow).

What kind of issue you have? Unfortunately I haven't now SNow installation on my hand, but maybe still could give some hints to you.

r. Ismo

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.