Hey Nancy - some thoughts to consider:

1. There is no off-the-shelf app or tie-in for Splunk (Searching + Reporting, nor Enterprise Security) -> NOW EM -> SIR … a bunch of work and plumbing needs to be done to get this off the ground (the vehicle to actually get the alert data into ServiceNow from Splunk)
2. ServiceNow already built the Alert Ingestion framework to scrape / poll and digest security alert data to create Security Incidents and corresponding enrichment with – this framework is used as the plumbing for all major security integrations (e.g. Q-Radar, LogRhythm, Splunk, MS Sentinel, etc.) to create Security Incidents
3. The field mapping flexibility with the NOW Alert Ingestion framework is very user friendly – trying to do the field mapping with EM -> SIR will not be as simple for someone to maintain over time
4. Creating the additional enrichment bits associated to the SIR – is shipped baseline for both creating Observables AND automatically extracting MITRE ATT&CK TTPs included in the alerts sent over from Splunk (notables in ES, or triggered alerts in Searching + Reporting) – effort would be needed to create that with the EM -> SIR approach
5. The NOW Alert ingestion (Store App Method) supports both -> automated collection and SIR creation along with a manual button approach – that often helps as alerts are being tuned in Splunk, (crawl, walk, run) – the EM -> SIR probably could be wired up to do the manual approach but again effort needed to recreate what already exists (the Splunk Alert Action button)
6. The Alert Ingestion method (Store App) has been out for some time – is readily being used, maintained and enhanced – it’s supported if an issue occurs (there is someone to call) – not sure how the EM -> SIR approach with Splunk would compare as some elements of that would technically be custom and there might be issues with supportability over time (cost of ownership, technical debt, etc.)