Skip to content

Upgrade the Splunk Add-on for ServiceNow

Follow the steps to upgrade to the latest version of the Splunk Add-on for ServiceNow.

  1. In Splunk Web, navigate to the Splunk Add-on For ServiceNow.

  2. Disable the inputs configured in your existing version of the Splunk Add-on For ServiceNow.

  3. To upgrade the add-on to its latest version, perform one of the actions:

    • Click the Upgrade button.

    • Follow the installation steps in the Install topic of this manual.

  4. In Splunk Web, navigate to the Splunk Add-on For ServiceNow.

  5. On the Splunk Add-on For ServiceNow configuration page, go to Configuration > ServiceNow Account.

    1. Reconfigure your ServiceNow account. Select one of the following authentication mechanisms:

      • Set up basic authentication using Splunk Web.

      • Set up OAuth authentication using Splunk Web.

      See the Set up the Splunk Add-on for ServiceNow topic in this manual for more information.

    2. Set the Record Count setting to the best practice default value of 3000 (Optional).

    3. Click Update.

  6. (Optional) If you are upgrading from version 3.1.0 or earlier, perform the following steps:

    1. In Splunk Web, navigate to Splunk Add-on For ServiceNow > Inputs.

      The Inputs page contains a list of inputs that were configured before the upgrade. The Table to collect data from field contains the values for all 23 table names. At first, all preconfigured inputs have a warning symbol in the Account column that indicates a Missing Account configuration.

    2. Reconfigure each input:

      1. Select the correct ServiceNow account.

      2. (Optional) Edit the Interval field if required.

      3. Click Save.

  7. If you are upgrading from version 7.1.1 or earlier refer the Migrating from CSV lookups to KV store lookups under Enable saved searches for the Splunk Add-on for ServiceNow section for detailed steps.

  8. Enable the reconfigured inputs.

To upgrade the add-on from versions prior to 6.2 to the latest version of the Splunk Add-on for ServiceNow, you need to perform these additional steps:

  1. Deactivate the inputs before upgrading the add-on.

  2. Upgrade the add-on to v7.4.1.

  3. Activate the inputs for which the checkpoint exists.

  4. Once the checkpoints are updated for the inputs, disable the inputs.

  5. Upgrade the add-on to the latest version.

  6. Activate the inputs to perform the data collection.

Edit the display values for the ServiceNow API

Versions 2.9.1 and earlier of the Splunk Add-on for ServiceNow used display_value = false and all the display values were calculated from the lookups populated from the saved searches of the add-on.

Version 3.0.0 of the Splunk Add-on for ServiceNow changed the behavior of the add-on to use display_value = all by default. This option fetches richer data from the API, and display values of the fields are available in the API data itself.

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through display_value = false (extractions and Common Information Model (CIM) mappings). The best practice is to set display_value to all in your deployment going forward and also revert the extractions in the props.conf accordingly.

If you need to revert to the previous behavior of collecting the display values using lookups, and not directly from the API (setting the display_value to false), perform the following steps:

  1. Enable the saved searches to generate the mapping lookups.

  2. On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf.

  3. Copy the snow_default stanza from default/service_now.conf, and add it to local/service_now.conf, if it does not already exist.

  4. In the snow_default stanza in local/service_now.conf, change the display_value=all parameter to display_value=false.

  5. Save the file.

  6. Open or create a local/props.conf file.

    • If you use a single search head, open or create the file in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf.

    • If you use a search head cluster, create the props.conf file in the configuration bundle on the deployer: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_snow/local/props.conf.

  7. Follow the instructions provided in the default/props.conf file under each affected stanza to create a set of FIELDALIAS statements, and then blank out a corresponding set of LOOKUP statements. For example:

    [snow:incident]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-location = cmn_location_list_lookup sys_id AS location OUTPUTNEW latitude, longitude, full_name AS location_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW user_name AS assignment_user_username, name AS assignment_user_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS caller_id OUTPUTNEW user_name AS user, name AS name
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-incident_state_name =
FIELDALIAS-affect_dest =
FIELDALIAS-assignment_user_name =
FIELDALIAS-name =

[snow:change_request]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name =
FIELDALIAS-user =
FIELDALIAS-affect_dest =
FIELDALIAS-change_state_name =

[snow:change_task]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name =
FIELDALIAS-user =
FIELDALIAS-affect_dest =
FIELDALIAS-change_state_name =

[snow:problem]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS name, user_name AS user
LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
LOOKUP-problem_state = problem_state_lookup problem_state OUTPUTNEW problem_state_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
FIELDALIAS-assignment_group_name =
FIELDALIAS-assigned_to_name =
FIELDALIAS-name =
FIELDALIAS-affect_dest =
FIELDALIAS-problem_state_name =

[snow:em_event]
# For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
LOOKUP-severity_name = severity_lookup severity AS severity OUTPUTNEW severity_name AS severity_name

# For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-severity_name = " without quotes
FIELDALIAS-severity_name =

  8. Save the file.

  9. If you are running a search head cluster, push the configuration bundle to the cluster members by running the following command on the deployer: splunk apply shcluster-bundle. This restarts the search-head cluster members, if needed. If you are running a single search head, restart it manually.

  10. Restart your data collection node.