Apologies -- I overlooked something in your reply.  There are two alert actions provided by the TA:  Event Integration and Incident Integration.  The Incident Integration action is what you need if you are wanting to create incidents directly from Splunk.  The Event Integration, as you have found, creates Splunk events in ServiceNow.  There will need to be a ServiceNow workflow set up in order for those events to be upgraded to incidents.  We opted for using the Incident Integration.   ... View more

What roles does your splunk account have in ServiceNow? ... View more

Also, you mention ingesting logs from ServiceNow via your HF but you don't mention using any of the inputs to ingest data from ServiceNow tables.  Is the account you have configured able to hit the ServiceNow REST API? ... View more

Hi!  We've been using the ServiceNow TA in a variety of scenarios.  What are you getting when you try the scenarios you describe? ... View more

Given the combined list: REGEX = . REGEX = (.) REGEX = .* REGEX = .*? REGEX = ^. I'd expect that 1, and 5 will be very similar, and the best choices. 2 requires the regex engine to create a capture group, which you don't appear to need. 3, depending on the efficiency of the regex engine, may decide to consider all the characters in the event. 4 should reduce to 1, but the regex engine will have to take that extra step. ... View more

If you have the config file in version control, you could use those tools to produce a periodic comparison of what was last committed versus what is currently live. Append that comparison to a log, and have the Universal Forwarder watch that log. You can then set up an alert to tell you when there were any changes, and both identify undesired changes and changes that need to be committed to source control. ... View more