Splunk Integration Architecture Diagram

jzayicek
Kilo Contributor

Is there a standard architecture document for Splunk to ServiceNow integration. We know that there is a MID Server Required along with the plugin but is there anything else needed?  Customer is asking for an architecture diagram but I have not been able to locate one.  

 

Thanks

 

3 REPLIES 3

qcj3
Kilo Guru

You need to qualify how you want to integrate with Splunk.  There are two out of the box integrations. (Sighting Search and SIR/Event Creation) Sighting Search is ServiceNow initiated while the SIR\Event creation is Splunk driven.  If the client wants to have Splunk create SIRs or Events then a MID server is not needed. It is a direct API call to ServiceNow.  The MID server is needed for Sighting Searches.

jzayicek
Kilo Contributor

We are looking at the SIR/Event Creation in SecOps right now but will be looking at the Sighting Search in the next few weeks.  Do you have instructions on both how it works with the MID Server and with the API call?

andy_ojha
ServiceNow Employee
ServiceNow Employee

Here's a really high-level overview of the Splunk and ServiceNow integration, leveraging:

  1. The ServiceNow SecOps Add-on for Splunk, to create Security Incidents / Events in SN
  2. ServiceNow Sighting Search capability, to trigger search queries on Splunk from SN

 

find_real_file.png