Upgrade the Splunk Add-on for ServiceNow

Follow the steps to upgrade to the latest version of the Splunk Add-on for ServiceNow:

1. In Splunk Web, go to the Splunk Add-on for ServiceNow.

2. Click Upgrade and follow the installation steps in the Install topic of this manual.

3. In Splunk Web, go to the Splunk Add-on for ServiceNow.

4. On the add-on configuration page, go to Configuration > ServiceNow Account.

   1. Reconfigure your ServiceNow account. Select one of the following authentication mechanisms:

      • Set up basic authentication using Splunk Web

      • Set up OAuth 2.0 - Authorization Code Grant Type authentication using Splunk Web

      • Set up OAuth 2.0 - Client Credentials Grant Type authentication using Splunk Web

      See the Set up the Splunk Add-on for ServiceNow topic in this manual for more information.

   2. Set the Record Count setting to the best practice default value of 3000 (Optional).

   3. Click Update.

5. (Optional) If you are upgrading from version 3.1.0 or earlier, perform the following steps:

   1. In Splunk Web, go to the Inputs page of the Splunk Add-on for ServiceNow.

      The Inputs page contains a list of inputs that were configured before the upgrade. The Table to collect data from field contains the values for all 23 table names. At first, all preconfigured inputs have a warning symbol in the Account column that indicates a Missing Account configuration.

   2. Reconfigure each input:

      1. Select the correct ServiceNow account.

      2. (Optional) Edit the Interval field if required.

      3. Click Save.

      Note

      If you are upgrading from version 7.1.1 or earlier, see Migrating from CSV lookups to KV store lookups under Enable saved searches for the Splunk Add-on for ServiceNow section for detailed steps.

6. Enable the reconfigured inputs.

Edit the display values for the ServiceNow API

Versions 2.9.1 and earlier of the Splunk Add-on for ServiceNow used display_value = false and all display values were calculated from the lookups populated from the saved searches of the add-on.

Version 3.0.0 of the Splunk Add-on for ServiceNow changed the behavior of the add-on to use display_value = all by default. This option fetches richer data from the API, and display values of the fields are available in the API data itself.

Version 6.3.0 of the Splunk Add-on for ServiceNow deprecates support for events fetched through display_value = false (extractions and Common Information Model (CIM) mappings). Set display_value to all in your deployment going forward and revert the extractions in the props.conf accordingly.

If you need to revert to the previous behavior of collecting the display values using lookups, and not directly from the API (by setting the display_value to false), perform the following steps:

1. Enable the saved searches to generate the mapping lookups.

2. On your data collection node, open or create $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/service_now.conf.

3. Copy the snow_default stanza from default/service_now.conf, and add it to local/service_now.conf, if it does not already exist.

4. In the snow_default stanza in local/service_now.conf, update the display_value=all parameter to display_value=false.

5. Save the file.

6. Open or create a local/props.conf file.

   • If you use a single search head, open or create the file in $SPLUNK_HOME/etc/apps/Splunk_TA_snow/local/props.conf.

   • If you use a search head cluster, create the props.conf file in the configuration bundle on the deployer: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_snow/local/props.conf.

7. Follow the instructions provided in the default/props.conf file under each affected stanza to create a set of FIELDALIAS statements, and then blank out a corresponding set of LOOKUP statements. For example:

   [snow:incident]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-location = cmn_location_list_lookup sys_id AS location OUTPUTNEW latitude, longitude, full_name AS location_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW user_name AS assignment_user_username, name AS assignment_user_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS caller_id OUTPUTNEW user_name AS user, name AS name
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-incident_state = incident_state_lookup state OUTPUTNEW incident_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-incident_state_name =
   FIELDALIAS-affect_dest =
   FIELDALIAS-assignment_user_name =
   FIELDALIAS-name =
   
   [snow:change_request]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-user =
   FIELDALIAS-affect_dest =
   FIELDALIAS-change_state_name =
   
   [snow:change_task]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-change_state = change_state_lookup state OUTPUTNEW change_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-user =
   FIELDALIAS-affect_dest =
   FIELDALIAS-change_state_name =
   
   [snow:problem]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-assignment_group = sys_user_group_list_lookup sys_id AS assignment_group OUTPUTNEW name AS assignment_group_name
   LOOKUP-user = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS assigned_to_name
   LOOKUP-user2 = sys_user_list_lookup sys_id AS assigned_to OUTPUTNEW name AS name, user_name AS user
   LOOKUP-affect_dest = cmdb_ci_list_lookup sys_id AS cmdb_ci OUTPUTNEW name AS affect_dest
   LOOKUP-problem_state = problem_state_lookup problem_state OUTPUTNEW problem_state_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-assignment_group_name = " without quotes
   FIELDALIAS-assignment_group_name =
   FIELDALIAS-assigned_to_name =
   FIELDALIAS-name =
   FIELDALIAS-affect_dest =
   FIELDALIAS-problem_state_name =
   
   [snow:em_event]
   # For display_value = false, add the following as it is in local/props.conf and uncomment under the corresponding stanza.
   LOOKUP-severity_name = severity_lookup severity AS severity OUTPUTNEW severity_name AS severity_name
   
   # For display_value = false, override the following with blank values in local/props.conf under the corresponding stanza. For example, "FIELDALIAS-severity_name = " without quotes
   FIELDALIAS-severity_name =
   

8. Save the file.

9. If you are running a search head cluster, push the configuration bundle to the cluster members by running the following command on the deployer: splunk apply shcluster-bundle. This restarts the search-head cluster members, if needed. If you are running a single search head, restart it manually.

10. Restart your data collection node.