Hello Brian,

As this question is highly complex, I will try to give a simple answer with some context beforehand.

Splunk ITSI in itself is an event management/correlation tool. It takes events (usually from splunk) and correlates/manages them. The standard splunk ITSI functionality will evaluate these events with the available data in mind and generate what is called an incident in the ServiceNow understanding.

ServiceNow event management takes events from monitoring systems and evaluates them with the available data in mind. This then also generates incidents. In short: Splunk ITSI and ServiceNow event management fill the same purpose. Depending on your main strategy, this will impact the resulting answer. The key question is:

Where do you want to manage the event management (AI, rule sets, relationships etc.)?

If you manage that in Splunk ITSI, then it is likely best to integrate to the ServiceNow incident management and treat resulting records as incidents.

If you want to do end-to-end event management on ServiceNow, you should move everything to ServiceNow and treat Splunk as "just" the event source.

If your event landscape is complex and you want to do both (Splunk ITSI & ServiceNow event management) you'd should look into doing Splunk stuff on Splunk (so the first way applies) and everything else consolidated on ServiceNow.

My recommendation: Move everything you want to manage on ServiceNow. This platform aims at being the central management platform, so using it as such would be my preferred way. That said, we also have customers who do it differently (and with success!).

Regards

Fabian