Splunk Add-on for ServiceNow config

Go to solution
Pat Slattery
Mega Expert

‎07-16-2019 07:42 AM

Morning! 

I know that this is probably more of a Splunk side configuration issue, so I have posted to their forum as well, but i wanted to see if anyone has any experience with this setup. 

I am getting an error when trying to set up the Splunk add on configuration. 

When trying to connect the "Splunk Add-on for ServiceNow" I am not able to connect to the ServiceNow instance.

ERROR: "unable to reach server at XXX. Check configurations and network settings.

Screen shot attached 

An account has been configured in ServiceNow with the following roles 
import_transformer, rest_api_explorer, sn_sec_splunk_v2.api_account_access, sn_si.analyst, sn_si.integration_user, soap
URL is the base url of the instance that I am trying to connect to.
Password has been verified  and reset to ensure its accuracy

Any Assistance would be greatly appreciated!

 

 

Labels:
Preview file
32 KB
0 Helpfuls
  • 1,774 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎07-16-2019 08:00 AM

Hey Pat,

By chance, is the Splunk Add-on that you are configuring listed in Splunkbase as:
- https://splunkbase.splunk.com/app/1928/

This Splunk Add-on (Splunk Add-on for ServiceNow) is not quite related to the Splunk + ServiceNow Security Operations integration.

For the Splunk + ServiceNow Security Operations integration, there are two approaches:

1.  Latest integration available from the ServiceNow Store

  - This integration is the newest flavor, and will poll Splunk for certain alerts, to generate Security Incidents 
  - This handles automatically creating Security Incidents based on alerts firing in Splunk
  - If you need the capability of navigating to an Event in Splunk, and clicking a `Workflow Action` to manually create an SIR, there is a separate integration for that 
 
-  https://store.servicenow.com/sn_appstore_store.do#!/store/application/da9efe66733213004b24e93a4cf6a709/5.0.2?referer=sn_appstore_store.do%23!%2Fstore%2Fsearch%3Fq%3Dsplunk


2.  The older legacy integration available from Splunkbase

   - This method allows you configure Adaptive Response Actions  (automated) or Workflow Actions (manual), to generate Security Incidents 
   - This does not have some of the new cool features of Option 1 above (e.g. visual field mapping, etc)
   - https://splunkbase.splunk.com/app/3921/

I'd explore Option 1 here (the latest Splunk SecOps integration available from the SN Store) if your use-case is to integrate Splunk w/ ServiceNow SecOps (Security Incident Response).

Hope this helps.

View solution in original post

3 REPLIES 3

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎07-16-2019 08:00 AM

Hey Pat,

By chance, is the Splunk Add-on that you are configuring listed in Splunkbase as:
- https://splunkbase.splunk.com/app/1928/

This Splunk Add-on (Splunk Add-on for ServiceNow) is not quite related to the Splunk + ServiceNow Security Operations integration.

For the Splunk + ServiceNow Security Operations integration, there are two approaches:

1.  Latest integration available from the ServiceNow Store

  - This integration is the newest flavor, and will poll Splunk for certain alerts, to generate Security Incidents 
  - This handles automatically creating Security Incidents based on alerts firing in Splunk
  - If you need the capability of navigating to an Event in Splunk, and clicking a `Workflow Action` to manually create an SIR, there is a separate integration for that 
 
-  https://store.servicenow.com/sn_appstore_store.do#!/store/application/da9efe66733213004b24e93a4cf6a709/5.0.2?referer=sn_appstore_store.do%23!%2Fstore%2Fsearch%3Fq%3Dsplunk


2.  The older legacy integration available from Splunkbase

   - This method allows you configure Adaptive Response Actions  (automated) or Workflow Actions (manual), to generate Security Incidents 
   - This does not have some of the new cool features of Option 1 above (e.g. visual field mapping, etc)
   - https://splunkbase.splunk.com/app/3921/

I'd explore Option 1 here (the latest Splunk SecOps integration available from the SN Store) if your use-case is to integrate Splunk w/ ServiceNow SecOps (Security Incident Response).

Hope this helps.

Go to solution
Adam Horwitz
ServiceNow Employee
ServiceNow Employee

‎07-16-2019 10:51 AM

Hi Pat,

This sounds like a network connectivity issue. Can you access this URL and login with the credentials you've set up from outside your network? Like from home on a personal computer so you know there isn't an automatic VPN in play.

As mentioned by the other poster, this forum is for our purpose-built, Security Operations solution (https://www.servicenow.com/products/security-operations.html). Specifically the Security Incident Response app. If you're using this app, search the store.servicenow.com with the filter on the left hand side set for "Security Operations" and search term Splunk to find the correct app and instructions.

If you're trying to use Splunk with our ITSM solution which is not purpose-built for security incidents, please post in the ITSM forum.

Adam

Go to solution
Developer3
Tera Expert

‎10-28-2019 04:34 AM

Hi,

We are also getting the same error. Could you please let me know how you fixed this issue.

We do not need security incidents in servicenow. So, my splunk team has installed this add-on : https://splunkbase.splunk.com/app/1928/

0 Helpfuls