Skip to content

Configure ServiceNow to integrate with the Splunk platform

Integrate ServiceNow with your Splunk platform instances to enable users to create incidents and events in ServiceNow using the following methods:

  • Custom generating search commands

  • Custom streaming search commands

  • Alert-triggered scripts

Your integration method depends on the version and deployment of your ServiceNow instance:

Version ServiceNow deployment Instructions
Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, Washington DC, and Xanadu ServiceNow in the cloud Apply the integration application
Quebec, Rome, San Diego, Tokyo, Utah, Vancouver, Washington DC, and Xanadu ServiceNow bare metal installation on-premises Use an update set

If you want to perform push integration with the ServiceNow Event table, you must have the Event Management plugin installed and enabled before you proceed. See Hardware and software requirements for details about which features require this additional plugin.

See custom generating search commands, custom streaming search commands, and alert-triggered scripts, to learn more about integrating ServiceNow with your Splunk platform instances.

Apply the integration application

Download the Splunk Integration application from the ServiceNow app store and configure it.

  1. Navigate to the ServiceNow app store and search for the Splunk Integration application (reference).

  2. Download the Splunk Integration application.

  3. Deploy the Splunk Integration application on your ServiceNow instance.

  4. Log in to your ServiceNow instance as an administrator.

  5. Create the service account with the same username you defined in the add-on setup. For example, splunk_user.

  6. Assign the user the role of x_splu2_splunk_ser.Splunk.

  7. (Optional) If you want to use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.

  8. (Optional) In the Requires Role section, enter x_splu2_splunk_ser.Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.

  9. (Optional) Repeat steps 7 and 8 for sys_audit, sys_audit_delete, sysevent and syslog_transaction tables.

  10. (Optional) If you want to use sys_choice table input, update the ” sys_choice.* ” access control of the table, by adding x_splu2_splunk_ser.Splunk role in Requires Role section.

  11. (Optional) Repeat steps 7 and 8 for any additional database tables that you want to index.

Use an update set

In order to get the update set XML files, contact the ServiceNow support team and perform the following steps.

Install the file that matches your version on your ServiceNow instance

  1. Log in to your ServiceNow instance as an administrator.

  2. Navigate to User Administration to temporarily add the security_admin role to your user.

  3. Navigate to System Update Sets.

  4. Follow the instructions in the ServiceNow documentation to apply the Update Set. See Save an update set as a local XML file and Transferring Update Sets for detailed instructions.

    If you see the error “Could not find a record in sys_report referenced in this update”, you can ignore it.

  5. Create the service account with the same username you defined in the add-on setup. For example, splunk_user.

  6. Assign the user the Splunk role. This grants the itil role.

  7. (Optional) To use the deprecated syslog table input, create an additional access control rule granting read-only access to the syslog log entry.

  8. (Optional) In the Requires Role section, enter Splunk. This grants your user read-only access to the syslog database table, which is otherwise only readable by administrators.

  9. Repeat steps 7 and 8 for any additional database tables that you want to index.

Configure ServiceNow to collect data using the OAuth 2.0 - Authorization Code Grant Type authentication mechanism

Configure the Application Registry on your ServiceNow instance to use OAuth 2.0 - Authorization Code Grant Type authentication.

  1. Obtain your Splunk platform deployment’s redirect URL.

    1. When you add an account in the Splunk Add-on for ServiceNow, choose OAuth 2.0 - Authorization Code Grant Type authentication as your authentication type. The redirect URL is displayed.

    2. Copy the redirect URL. You’ll need to paste it into your ServiceNow Application Registry.

  2. Log in to your ServiceNow instance, using the ServiceNow UI.

  3. Navigate to System Oauth > Application Registry.

  4. Click New.

  5. Navigate to the interceptor page and click Create an OAuth API endpoint for external clients.

  6. Fill in the form.

    1. Enter a unique Name.

    2. In the Redirect URL field, paste your redirect URL.

    3. Configure the value of the Refresh Token Lifespan parameter as high as possible so that it does not expire. Once the refresh token expires, you have to reconfigure the account.

    4. Verify that the PKCE Required function is disabled.

  7. Click Submit.

Configure ServiceNow to collect data using the OAuth 2.0 - Client Credentials Grant Type authentication mechanism

ServiceNow supports multiple OAuth2 grant_type values. The default authorization_code grant type is used and the client_credentials grant type is disabled. Follow the steps below to enable client_credentials and configure it.

  1. Enable Inbound Client Credentials Grant Type: a. Navigate to All → sys_properties.list.

    b. Click New to add a new system property.

    c. Use the following details:

    - **Name:** `glide.oauth.inbound.client.credential.grant_type.enabled`
    - **Type:** Boolean
    - **Value:** `true`
    

    d. Save the property.

  2. Add missing fields to the form. By default, Default Grant Type and OAuth Application User don’t appear on the Application Registry form. Perform the following steps to add them: a. Navigate to System OAuth → Application Registry.

    b. Click New.

    c. In the header menu, select Configure → Form Design.

    d. In the Form Designer, drag and drop Default Grant Type and OAuth Application User into the form layout.

    e. Click Save

  3. Create OAuth2 Client Credentials.

    a. Go to System OAuth → Application Registry.

    b. Click New

    c. Select Create an OAuth API endpoint for external clients.

    d. Fill in the required fields:

    - **Name:** Descriptive name of your choice
    - **Client ID:** Auto-generated
    - **Client Secret**
    - **Default Grant Type:** `Client Credentials`
    - **OAuth Application User:** Select a valid user (click the magnifying glass to search)
    

    e. Click Submit.

The following OAuth 2.0 roles are required for the ServiceNow User:

  • itil

  • oauth_user

  • oauth_admin

  • rest_api_explorer

  • rest_service

  • x_splu2_splunk_ser.Splunk