Splunk Integration Architecture Diagram

jzayicek
Kilo Contributor

‎01-30-2019 11:28 AM

Is there a standard architecture document for Splunk to ServiceNow integration. We know that there is a MID Server Required along with the plugin but is there anything else needed?  Customer is asking for an architecture diagram but I have not been able to locate one.  

 

Thanks

 

Labels:
0 Helpfuls
  • 1,800 Views
3 REPLIES 3

qcj3
Kilo Guru

‎01-30-2019 12:32 PM

You need to qualify how you want to integrate with Splunk.  There are two out of the box integrations. (Sighting Search and SIR/Event Creation) Sighting Search is ServiceNow initiated while the SIR\Event creation is Splunk driven.  If the client wants to have Splunk create SIRs or Events then a MID server is not needed. It is a direct API call to ServiceNow.  The MID server is needed for Sighting Searches.

0 Helpfuls

jzayicek
Kilo Contributor
In response to qcj3

‎01-31-2019 05:17 PM

We are looking at the SIR/Event Creation in SecOps right now but will be looking at the Sighting Search in the next few weeks.  Do you have instructions on both how it works with the MID Server and with the API call?

0 Helpfuls

andy_ojha
ServiceNow Employee
ServiceNow Employee

‎01-31-2019 08:24 PM

Here's a really high-level overview of the Splunk and ServiceNow integration, leveraging:

  1. The ServiceNow SecOps Add-on for Splunk, to create Security Incidents / Events in SN
  2. ServiceNow Sighting Search capability, to trigger search queries on Splunk from SN

 

find_real_file.png

Preview file
231 KB
0 Helpfuls