Splunk ES Integration for Security Operations release notes

  • Release version: Store
  • Updated June 11, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk ES Integration for Security Operations release notes

    The Splunk ES Integration for Security Operations within ServiceNow enables Security Operations Center (SOC) analysts to automatically generate Security Incident Response (SIR) incidents from configured Splunk Enterprise Security (ES) Notable Events. Analysts can also manually forward events from the Splunk ES console. The integration supports automated incident response workflows using the ServiceNow AI Platform to enhance security incident management and remediation.

    Show full answer Show less

    For system requirements and compatibility details, customers should refer to the application listing on the ServiceNow Store.

    Key Features and Enhancements

    • Automated and Manual Incident Creation: Auto-generation of SIR incidents from notable events and manual forwarding capabilities from Splunk ES console.
    • Role-Based Profile Management: Introduction of the "snsi.ingestionprofileadmin" role to manage ingestion profiles securely.
    • CMDB Integration Improvements: Graceful handling of missing Configuration Items (CIs) by categorizing them as "Unmatched CI."
    • New Correlation Rules: Automatic periodic import of new Splunk ES correlation rules via system properties.
    • Support for Encrypted Fields: Added Key Management Framework (KMF) support for encrypted fields such as secure notes.
    • Strict Read-Only Enforcement: Upgrade of dictionary-level read-only fields to strict enforcement across user interfaces, scripts, and integrations for enhanced security.
    • Bidirectional Synchronization: Synchronization of Work Notes and Comments between Splunk ES and ServiceNow, including bidirectional updates and closure of incidents.

    Fixes and Performance Improvements

    • Resolved UI and backend logic issues for sample type distinction and correlation rule name lookups in multi-rule profiles.
    • Fixed ingestion issues for updated notables supporting Splunk ES version 8.0.x and newer.
    • Addressed bugs causing memory contention and node restarts in the Splunk ES process sending events to SIR jobs, improving stability and performance.
    • Corrected token restoration bugs that caused malformed inputs when ingesting event data.
    • Improved handling of multiple field translations and aggregation logic, especially under domain separation scenarios.
    • Enhanced event ingestion robustness to prevent failures due to problematic raw data records.
    • Fixed access issues related to Security Analyst roles querying tables and profile administration roles.

    What Customers Can Expect

    ServiceNow customers leveraging the Splunk ES Integration for Security Operations can expect a more secure, stable, and efficient integration that automates incident creation and management from Splunk ES notable events. Enhanced role management, improved data handling, and performance optimizations reduce operational overhead and improve SOC responsiveness. The integration supports encrypted data, strict security controls, and synchronization features that help maintain accurate and actionable security incident records within ServiceNow.

    Version history for the Splunk ES Integration for Security Operations application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 12.5.1 - June 2026
    • Fixed:
      • Refactored the UI macros and backend logic to correctly distinguish between sample types, removed unreachable dead code, and fixed correlation rule name lookup for multi-rule profiles.
      • Access issues for Security Analyst while querying tables.
    Version 12.5.0 - April 2026
    • New:
      • Handling missing CMDB CIs gracefully by attaching them as Unmatched CI.
      • New correlation rules in Splunk ES  automatically imported periodically based on system property.
    • Fixed:
      • Provided fix for ingestion of Updated Notables which supports Splunk ES version 8.0.x  and later versions.
      • Added KMF support for encrypted fields like secure notes mapping.
    Version 12.4.0 - December 2025
    New: Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
    Version 12.3.0 - November 2025
    • Fixed:
      • New splunk upgrade failing xml parsing and blocks SIR creation.
      • Not able to edit existing Field translations.
    Version 12.2.2 - October 2025
    • Fixed:
      • Token restoration bug in SplunkESEventIngestionQueryAbstract._buildInputValue corrupts literal values that look like $$ (e.g., $DOVERIE01$), leaving ____ placeholders and producing malformed input.
      • SplunkES LockTable should have profile admin role instead of admin role.
      • Aggregation bug in case of domain separation.
    Version 12.2.1 - September 2025
    Fixed: Splunk ES update multiple is working in iterative mode. We have added fix to clean up the stale records in internal tables.
    Version 12.2.0 - August 2025
    • New:
      • Enabling users with "sn_si.ingestion_profile_admin" role to manage ingestion profiles on Splunk ES Integration.
      • Update Field values for notable events in splunk ES.
      • Ability to Aggregate SIR Security Incidents using the "State" field.
      • Work Notes and Comments Synchronization for Splunk ES.
      • Splunk ES Bidirectional Updates or Closure.
    • Fixed:
      • Aggregation not working in case of OR operator when the first field is empty.
      • User is able to create multiple field translations for an attribute . Observed this in domain seperation case.
    Version 12.1.10 - July 2025
    • Fixed:
      • Issue: The Splunk Enterprise Security (ES) process responsible for sending events to the Security Incident Response (SIR) job was causing memory contention on nodes, resulting in unexpected node restarts.
      • Improvement: Performance optimizations were implemented in Splunk ES, effectively resolving the memory contention issue and preventing further node restarts.
    Version 12.1.9 - June 2025
    • Fixed:
      • Bug: The Splunk ES process for sending events to the Security Incident Response (SIR) job was causing memory contention on nodes, leading to node restarts.
      • Improvement: Performance improvements were implemented for Splunk ES, which resolved the memory contention issue on nodes.
    Version 12.1.6 - May 2025
    • Fixed:
      • The following bugs as part of this release:
        • Supports adding multiple affected users during Splunk Enterprise event ingestion for Security Operations.
        • sys_scope issue on the Xanadu instance that prevented linking a created source to the profile using the sn_si.admin role.
        • An issue where the Splunk ES Event Profiles were not updating the existing notables and only new notables were being ingested.
        • An issue where updated notables were not ingested if the correlation rule name contained a trailing space.
        • When there is an issue in data for any record in the Splunk raw data table, event import was failing for remaining entries, these remaining entries are now executed as expected.
    Version 12.1.1 - November 2024
    The Splunk ES Event Ingestion integration for Security Operations allows security operations center (SOC) analysts to generate ServiceNow AI Platform Security Incident Response (SIR) incidents automatically when certain configured Splunk ES Notable Events are triggered. Analysts can also manually forward selected events on-demand from the Splunk ES console. Analysts respond to the security incidents that are created with workflows in the ServiceNow AI Platform that automate incident response activities and remediation.