The field names that exist in ServiceNow SecOPS are somewhat proprietary to you, and I assume you have a list of the fields viewed > fields named on the back end.
For Splunk,depending on where you have the Splunk Action for generating a SN Security Incident at would determine the mapping.
Example, Splunk ES Incident review dashboard had different field names for some fields than what is present in regular searches.
try this out and see if it helps:
| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review | fields event_attributes | eval d=split(event_attributes, ",") | rex field=d max_match=0 "field\"\s*:\s*\"(?[^\"]+)" | rex field=d max_match=0 "label\"\s*:\s*\"(?[^\"]+)" | eval mv=mvzip(field,label) | fields mv | mvexpand mv | eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1) | table field, label
... View more