Splunk forwarding into ServiceNow's Event Management system
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-26-2022 08:40 AM
We are looking for anyone that has used splunk as their central logging solution and then forwarding those logs into their Event Management system.
We are trying to work with Splunk, but they have only given us 3 solutions, one is using a heavy forwarder, but did not explain how that works in line with the current system used for collecting, indexing and reporting. From my understanding a heavy forwarder is a full instance of splunk enterprise, but with limited capabilities. The other two were using an API with the cloud service and the ServiceNow integration, which we already have configured, but that only sends those events that are triggered by some logic in the splunk system, this does not provide the data we want for the AIOps to ingest and grind to provide more insight on potential issues.
Our goal is just to forward all or a filtered amount of logs from the central splunk system into our event management system so we don't have to go to all the devices and create a 2nd forwarding path for all that data. I know from OTHER logging solutions, forwarding logs is a very simple configuration, I just assumed it was the same with splunk.
Any help will be greatly appreciated. Thank You!
Alex
- Labels:
-
Event Management
-
Multiple Versions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-26-2022 11:24 AM
Hi Alex,
You'd want to talk to your SN Account rep about Health Log Analytics (HLA) - which can bring in the logs that you are looking for from Splunk.
Thanks,
-Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 05:49 AM
Alex, hi there. Did you use any tool to connect the two systems? We're using such a solution for our Splunk Snow integration configuration - zigiops. It allows us to tweak it in a way that would fit our use case- to define the triggers and the mappings, etc. Check it out, just in case.