Using ServiceNow Security Operations Event Ingestion Add-on for Splunk ES

  • Release version: Xanadu
  • Updated October 10, 2025
  • 1 minute to read

    • Forward events on-demand from your Splunk Enterprise Security console to create a Security Incident Response (SIR) on the ServiceNow instance.

    Before you begin

    Role required: sn_sec_splunkes.api_account_access

    Procedure

    1. Log in to Splunk Enterprise.
    2. Navigate to Apps > Enterprise Security.
    3. Select Mission Control.
      A list of notable events generated in the Splunk console on the basis of correlation rule configured previously show up.
    4. Select any Notable Event from the list.
    5. Select Ellipsis icon (⋮).
    6. From the drop down, select the Workflow action label configured while setting up the add-on.
      For more information on Workflow action label, see Setup ServiceNow Security Operations Event Ingestion Addon for Splunk ES
      Events will go in Splunk ES Event Import table followed by Splunk ES Event to Tasks table.

    Result

    A Security Incident Response (SIR) record is created on the ServiceNow instance as per the mapping specified in the Manual event forwarding profile. For instructions on how to set up a Manual event forwarding profile, see Create and name an event profile for the Splunk Enterprise Event Ingestion integration