Getting Data In

Anyone used Splunk add-on for servicenow to send data from Splunk to Servicenow

Roy_9
Motivator

I have a usecase to send data from splunk to snow, I noticed there are a bunch of scripts available in servicenow add-on, did anyone tried this effort?

please let me know your thoughts.

0 Karma
1 Solution

Roy_9
Motivator

Hope this might help anyone who wants to implement this usecase.

1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.

2. Develop a script which can send data into Servicenow.

3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)

 

 

 

View solution in original post

Roy_9
Motivator

Hope this might help anyone who wants to implement this usecase.

1. Develop a custom alert action using splunk add-on builder that will send report results to servicenow.

2. Develop a script which can send data into Servicenow.

3. Develop a scheduled report that runs on the Search head(splunk alert action will run after a scheduled report runs on Search Head)

 

 

 

Roy_9
Motivator

Thanks @isoutamo for your response,Yes we have installed the splunk add-on for servicenow,
We have a report that we would like to post to a CMDB table in snow.
Under report -->Trigger-->we selected Servicenow Incident integration and passed the account and api end point details, but the data is not posting to the CMDB table, instead it is hitting to the temp table and all the fields which we pass are blank in that temp table and seeing a error message on the last column of that temp table.

Any advise or suggestions would be helful.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You have check that snow + splunk versions match what is required and also installed those services/packages (or what ever that term was) on snow side? Also required users are created and granted rights to use to those services/tables on snow side?

r. Ismo

0 Karma

Roy_9
Motivator

Yes, both are running on the updated versions  and in order to set up an account in Splunk, a service account was set up in servicenow and all necessary privileges has been granted to that account.

So we configured this add-on using the account provided by servicenow.

We were able to successfully ingest data from servicenow to splunk but the problem we are facing is sending the data from splunk to servicenow

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This sounds like there is still something undone on snow side (missing rights or integration package). What your logs said when you try to update snow?

0 Karma

Roy_9
Motivator

@isoutamo We are using splunk cloud and this add-on is installed on Splunk IDM. Usually we don't have privileges to update the add-on, we usually place a support ticket to update our apps and add-ons on IDM and SH.

I still doubt am i using the right option of Splunk add-on for Servicenow(Servicenow Incident Integration) for sending the data from Splunk to servicenow because majority of the users are using this add-on in getting the data into splunk from snow.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As this said https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/About you could also create incidents on Snow side, BUT this needs that your splunk-used which is configured into add-one must have needed rights for snow's internal tables / integration application to create those incident etc. into snow from SH(/C). Without those rights/integration application you can only query that data from Snow via REST api.

Those rights / integration application must enabled on ServiceNow side not on splunk side!

r. Ismo

0 Karma

Roy_9
Motivator

yes @isoutamo , we have permissions for servicenow table, however when we are sending the data from the servicenow add-on in the form of incident, the data is not populating in servicenow table due to compatibility issues.(may be data format)

if this add-on feature is not an option, what are the other options that i can test with?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Unfortunately I haven't now access to any Splunk <-> ServiceNow environment to help you more with this issue. Let's hope that there is someone else who could continue with this.
0 Karma

Roy_9
Motivator

@richgalloway Do you have any idea on this request? I got stuck with this and trying to figure out an option to send this data from splunk

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I have used some previous version of this https://splunkbase.splunk.com/app/1928/#/overview (2y ago?). At that time  it works ok, but you need to follow up those instructions and ensure that all versions match and also needed components and users are created on both side (splunk + SNow).

What kind of issue you have? Unfortunately I haven't now SNow installation on my hand, but maybe still could give some hints to you.

r. Ismo

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...