Why all the notables created in Splunk are not created as security incidents in ServiceNow

sath · ‎08-14-2024

Hello,

Splunk has created 1900 notables whereas only 950 security incidents were created in ServiceNow. What could be the reason for all the notables not getting created on SIR, is there any rate limit?

nessimm · ‎08-14-2024

Yes, there is an OOTB 1000 incidents limit per day. Navigate to Splunk Integration > Splunk Integration Settings and update the "Maximum number of Security Incidents to be created in one day."

View solution in original post

ScottW1 · ‎08-14-2024

There could be a number of things going on here.

Do you have a Service Now Splunk profile for each notable domain that you are expecting rom Splunk?

Do you have any filter conditions enabled and or aggregation conditions enabled within the Service Now Splunk Profiles? These configurations can reduce the overall events as it serves to filter and or aggregate the incoming alerts based on the specified criteria.

If you can it might be a good idea to try and narrow the scope a bit and see if there is a specific alert type that is being omitted. You can then check the profile to see if its configured with a filter or aggregation configuration as shown below.

In ServiceNow you can take a look at the Splunk Event Import to see all incoming notables and you can look at the Splunk Event to task to see the mapping to the individual SIR.

Scott

sath · ‎08-14-2024

Thank you. I looked at Splunk Event Import table and noticed that those missing records were ignored with this comment 'Row transform ignored by onBefore script'.

Looks like the maximum cap of the records is set to 1000 on SplunkESFieldMapCoalesce script include.

Is it the best practice to increase the limit on number of records?

nessimm · ‎08-14-2024

Yes, there is an OOTB 1000 incidents limit per day. Navigate to Splunk Integration > Splunk Integration Settings and update the "Maximum number of Security Incidents to be created in one day."