Possible to run splunk query from servicenow?

Venkatesh4 · ‎04-05-2022

Hi All,

Is there is any possibilities to run the Splunk query from ServiceNow end and get the results in some related list or in work notes section?

For example below is the query we use in the splunk end to view the specific event by adding the event id inside it.

we need this to run custom search from ServiceNow end and this need to query the Splunk and get us the result.

Can we run this query directly from ServiceNow and get the results?

Pls advise

Thanks

Fatih Karacaer · ‎04-05-2022

Hi,

It looks like you want to get some information regarding the notables created.

There are a few ways to achieve this.

1- Create a custom flow in Integration Hub and via Rest API, send your request to Splunk and process the results as you wish. This provides you a lot of flexibility on what to do with the results.

2- If you have the Splunk ES integration plugin installed and configured already, create the query you mentioned above in a correlation search and create notables out of this query in Splunk. And with the Splunk Integration plugin here, you can configure SecOps to pull the results of this correlation search and store them in an SIR. You need to create an event profile which looks for the notables associated with the correlation search you created. How to create

Normally the results of the correlation searches are also stored in the table sn_sec_splunkes_event_import. The results will be in a JSON format so you can parse them which is quite easy to parse. But these records have a retention period which is also configurable in the integration configuration.

Kind regards,

Fatih.