Install and configure the ServiceNow application for the Splunk Enterprise Event Ingestion integration
Before you run the integration on your ServiceNow AI Platform® instance, complete these installation and configuration steps so the application properly integrates with the Security Incident Response and Security Operations products on your ServiceNow AI Platform® instance.
Before you begin
Role required: sn_si.ingestion_profile_admin
Procedure
-
To configure the application, click New.
-
In the Event Ingestions Configuration dialog that is displayed, fill in the
fields.
Field Description Name Name of the Splunk Enterprise console or Splunk Cloud instance used for the integration. Spaces are supported for names, but parentheses are not supported. For example, enter HQ-USA, or HQ USA.
Splunk API Base URL URL for your Splunk Enterprise console or Splunk Cloud instance. Basic Authentication Default is disabled. If you are using API Account User Name and API Password for configuration, enable the check box.
API Account User Name User name that you created for your individual user account on the Splunk Enterprise console. API Password Password that you created for your individual user account on the Splunk Enterprise console. Token Based (available from version 12.0.0) Token based authentication that you created for your API user account on the Splunk Enterprise console.
Token Token that you created for your API user account on the Splunk Enterprise console. MID Server Specific MID Server that is set up in your environment. Only MID Servers that are active and validated are available from this choice list. On Premises Deployment Default is disabled. If you are using the cloud-based version of Splunk Enterprise, verify that the check box is cleared.
If this option is enabled, the MID Server choice list is displayed. If you are using an on-premises version of Splunk Enterprise, follow these steps to select a MID Server.
- Select the check box.
A choice list is displayed. Default is Any.
- Select Any only if this MID server is configured for the Splunk Enterprise Event Ingestion integration.
- From the choice list, select the ServiceNow AI Platform® MID server that you configured in your instance for this specific integration.
The following figure is an example of a completed form for a configuration of an on-premises version of Splunk Enterprise with a MID Server.
Each Splunk Enterprise alert that you ingest from your Splunk Enterprise console requires a unique event profile in your ServiceNow AI Platform® instance. However, the source that you configure on the Event Ingestions Configuration form can be reused for multiple ServiceNow AI Platform® profiles as long as each profile ingests unique Splunk triggered alerts.
- Select the check box.
-
Click Submit.
After validation is successfully completed, the Security Integrations page is displayed with each of your configurations. On each valid configuration tile, Configure and Delete buttons are displayed as shown in the following figure.Note:You have to use either Basic Authentication or Token Based Authentication only. Enable one of the authentications and enter the corresponding authentication details. Enabling both will display an error.
After it is successfully validated and submitted, each Event Ingestions Splunk server configuration is saved on the Security Integrations page as a tile. If your saved configuration tiles are not displayed on the Security Integrations page, on the top right corner of the page, from the Show Configurations choice list, click Yes.
If an error message is displayed after you click Submit, enter your information again and click Submit.
What to do next
You have successfully installed and configured the application. The next step is to create an event profile.