Info needed on Splunk Integration

madhuv
Tera Contributor

Hi Experts,

 

Need few details on Splunk Integration with ServiceNow.

 

1> Whether Splunk add-on is required at Splunk to have the integration with ServiceNow?

2> Does Splunk connector also needs to be installed at ServiceNow ?

 

There seems to be correlation rules applied at Splunk, and its going to send filtered Incidents.

 

1 ACCEPTED SOLUTION

AJ-TechTrek
Giga Sage
Giga Sage

Hi @madhuv ,

 

Quest -1. Is a Splunk add-on required on the Splunk side for ServiceNow integration?


Yes – Required.
Splunk requires the “Splunk Add-on for ServiceNow” to enable integration. This add-on is responsible for:
* Sending alerts or incidents from Splunk to ServiceNow.
* Supporting bi-directional communication (create/update incidents in ServiceNow).
* Managing authentication (OAuth or basic auth).
Add-on name: Splunk Add-on for ServiceNow
 Available on: Splunkbase

 

Note: You must configure the add-on with ServiceNow REST credentials and endpoint (e.g., api/now/table/incident).

 

Quest-2. Is a Splunk Connector or App needed on the ServiceNow side?


No, not required OOB on ServiceNow.
There is no mandatory Splunk connector or application that must be installed on the ServiceNow side.
Instead, Splunk communicates with ServiceNow using the REST API interface (typically the incident table endpoint).


But optionally, you can:
* Create an Integration User in ServiceNow with roles like itil, rest_api_explorer, etc.
* Use Scripted REST APIs or Inbound REST APIs in ServiceNow (if you want more control/custom behavior).
* Define a REST Message on the Splunk side to push data to ServiceNow.

 

Integration Flow Overview:

 

A[Splunk with Add-on] -->|Filtered Alerts| B[Splunk Correlation Rules]
B --> C[REST API Call to ServiceNow]
C --> D[ServiceNow Incident Table]
* Correlation Rules filter and transform events.
* Filtered incidents are pushed using the add-on via REST.
* No additional install needed on the SNOW side.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

View solution in original post

4 REPLIES 4

Bhuvan
Tera Sage

@madhuv 

 

Which module you are trying to integrate ?

 

If you are looking for Events & Incidents integration, you can find more details below along with pre-requisites and implementation steps,

 

https://store.servicenow.com/store/app/890cab2e1b246a50a85b16db234bcb17#summary

 

Thanks,

Bhuvan

Viraj Hudlikar
Giga Sage

Hello @madhuv 

 

1 -> Yes, an add-on is required on the Splunk side. The official Splunk Add-on for ServiceNow is a key component.

2 -> Yes, a corresponding application is needed on the ServiceNow side. This is typically the Splunk Integration application available from the ServiceNow Store.

 

The correlation rules you mentioned are defined in Splunk to filter and trigger the creation of Incidents and/or Events in ServiceNow.

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

 

Thanks & Regards
Viraj Hudlikar.

@madhuv -

 

Thank you for marking my response as helpful! 😊

I hope your concern has been fully addressed. If it resolves your issue, please consider marking it as the accepted solution. This will ensure others in the community can benefit from the solution too.

As per new community feature you can mark multiple responses as correct.


Thanks & Regards
Viraj Hudlikar.

AJ-TechTrek
Giga Sage
Giga Sage

Hi @madhuv ,

 

Quest -1. Is a Splunk add-on required on the Splunk side for ServiceNow integration?


Yes – Required.
Splunk requires the “Splunk Add-on for ServiceNow” to enable integration. This add-on is responsible for:
* Sending alerts or incidents from Splunk to ServiceNow.
* Supporting bi-directional communication (create/update incidents in ServiceNow).
* Managing authentication (OAuth or basic auth).
Add-on name: Splunk Add-on for ServiceNow
 Available on: Splunkbase

 

Note: You must configure the add-on with ServiceNow REST credentials and endpoint (e.g., api/now/table/incident).

 

Quest-2. Is a Splunk Connector or App needed on the ServiceNow side?


No, not required OOB on ServiceNow.
There is no mandatory Splunk connector or application that must be installed on the ServiceNow side.
Instead, Splunk communicates with ServiceNow using the REST API interface (typically the incident table endpoint).


But optionally, you can:
* Create an Integration User in ServiceNow with roles like itil, rest_api_explorer, etc.
* Use Scripted REST APIs or Inbound REST APIs in ServiceNow (if you want more control/custom behavior).
* Define a REST Message on the Splunk side to push data to ServiceNow.

 

Integration Flow Overview:

 

A[Splunk with Add-on] -->|Filtered Alerts| B[Splunk Correlation Rules]
B --> C[REST API Call to ServiceNow]
C --> D[ServiceNow Incident Table]
* Correlation Rules filter and transform events.
* Filtered incidents are pushed using the add-on via REST.
* No additional install needed on the SNOW side.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025