Splunk and ServiceNow integration

Jake Adams
Tera Contributor

‎09-24-2023 11:30 PM

Hi,

 

I am integrating Splunk with ServiceNow Incident management, When the incident in Closed in ServiceNow, I want to close the alert in Splunk. How can I achieve this?

0 Helpfuls
  • 1,493 Views
2 REPLIES 2

msd93
Kilo Sage

‎09-25-2023 04:32 AM

Hi @Jake Adams 

You may try ServiceNow's Outbound REST Web Service to send a request to Splunk when an incident is closed. Here are the steps:

1. Create an Outbound REST Message in ServiceNow: - Navigate to System Web Services > Outbound > REST Message. - Click New to create a new REST message. - Provide a name and endpoint for the REST message. The endpoint should be the URL of your Splunk instance.

2. Define HTTP Methods: - Click on the HTTP Methods related list and create a new record. - Choose the HTTP method (usually POST or PUT). - In the "Endpoint" field, append the specific API endpoint to the base URL defined in the REST message.

3. Define Headers and Parameters: - If required by your Splunk instance, define any necessary headers or parameters.

4. Create a Business Rule: - Navigate to System Definition > Business Rules. - Click New to create a new business rule. - Set the table to "Incident", and define the "When to run" conditions to run "After" an insert or update, and only when the incident state changes to "Closed". - In the "Advanced" tab, write a script to send the REST message when the conditions are met.

Here is a sample script for the business rule: 

(function executeRule(current, previous /*null when async*/)

{ // Create a REST Message record based on the one you created 

var r = new sn_ws.RESTMessageV2('Your REST Message', 'Your HTTP Method'); // Set any parameters or headers

// r.setStringParameterNoEscape('parameter', 'value');

// r.setRequestHeader('header', 'value');

// Send the REST Message and get the response

var response = r.execute();

var responseBody = response.getBody();

var httpStatus = response.getStatusCode();

// Log the response for debugging

gs.info(responseBody);

})(current, previous);

5. Test the Integration: - Close an incident in ServiceNow and check if the corresponding alert is closed in Splunk.

 

Remember to replace 'Your REST Message' and 'Your HTTP Method' with the actual REST Message and HTTP Method you created. Also, you may need to set parameters or headers based on your Splunk instance's requirements.

 

Hope this helps you, is yes please mark this response as correct and helpful.

0 Helpfuls

Anand Kumar P
Giga Patron
Giga Patron

‎09-30-2023 07:04 AM - edited ‎09-30-2023 07:06 AM

Hi @Jake Adams ,

 

Step 1: Create an Outbound REST Message in ServiceNow

  • Go to "System Web Services" > "Outbound" > "REST Message" in your ServiceNow instance.
  • Click "New" to create a new REST message.
  • Give it a name and specify the endpoint. The endpoint should be the URL of your Splunk instance.

Step 2: Define HTTP Methods

  • In the new REST message, click on the "HTTP Methods" related list.
  • Create a new record and select the appropriate HTTP method (usually POST or PUT).
  • In the "Endpoint" field, add the specific API endpoint to the base URL defined in the REST message.

Step 3: Define Headers and Parameters

  • If your Splunk instance requires specific headers or parameters, define them in this step.

Step 4: Create a Business Rule

  • Go to "System Definition" > "Business Rules" in ServiceNow.
  • Create a new business rule.
  • Set the table to "Incident" and define when the rule should run, typically "After" an insert or update, and only when the incident state changes to "Closed."
  • In the "Advanced" tab of the business rule, write a script to send the REST message when the specified conditions are met.

Here's a sample script for the business rule:

 

(function executeRule(current, previous /*null when async*/) { // Create a REST Message record based on the one you created var r = new sn_ws.RESTMessageV2('Your REST Message', 'Your HTTP Method'); // Set any parameters or headers if needed //
r.setStringParameterNoEscape('parameter', 'value'); //
r.setRequestHeader('header', 'value'); // Send the REST Message and get the response
var response = r.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode(); // Log the response for debugging
gs.info(responseBody); })(current, previous);

Step 5: Test the Integration

  • Close an incident in ServiceNow and verify whether the corresponding alert is also closed in Splunk.

Remember to replace 'Your REST Message' and 'Your HTTP Method' with the actual names you provided when creating the REST message. Additionally, adjust parameters and headers as required by your Splunk instance's API. This integration should trigger when incidents are closed in ServiceNow and send the necessary data to Splunk for further processing or monitoring.

Thanks,

Anand