Schedule and retrieve alerts for the Splunk Enterprise Event Ingestion integration
For automated alert ingestion profiles, this step is final step of the event profile configuration. During this step, you can verify the default settings for alert retrieval or modify the scheduling as needed. This step permits you to filter your alert retrieval based on a date range.
Before you begin
Role required: sn_si.ingestion_profile_admin
About this task
After you have completed all the steps in the progress bar for the profile configuration as shown in the following figure, you have completed the configuration for profiles for manual event forwarding. There is no scheduling available for events forwarded manually from your Splunk Enterprise console. For profiles for automated alert ingestion, you choose whether you want to ingest any historical alerts during the Scheduling step. You also choose how often you will poll for future alerts that match the alert profile configuration.
For automated alert ingestion profiles, before the profile is activated, you verify and modify the scheduling and alert retrieval. This step is the final step of the event profile configuration process for scheduled alert profiles.
Configure these polling intervals on a per-profile basis. The performance of the Splunk event ingestion integration is impacted by the different polling intervals. When scheduling, you may prefer to balance system load against incident urgency. A five-minute default value is set for any profile, but you may prefer to modify this setting based on the urgency of the incident and the anticipated load on your system.
In the Splunk Enterprise console, you set an alert to trigger that is based on increments or on a specific time. Use this setting to help you configure the scheduling in your ServiceNow AI Platform instance so the time increments in your Splunk Enterprise console synchronize with the scheduling that you set up in your ServiceNow AI Platform instance.
Procedure
-
Choose one to schedule how and when alerts are pulled from the Splunk Enterprise console.
Option Description - On-going Alert field selected
- One-Time Retrieval field cleared
On-going Alert Based on the default setting, the ServiceNow AI Platform instance pulls from the Splunk Enterprise server for new alerts every five minutes. Security incidents are created if triggered alerts are found and filtering criteria are matched. To balance alert ingestion against server load, and to pull the most current data, five minutes is the setting you may prefer. However, this value can be modified as needed.
- On-going alert field cleared
- One-Time Retrieval field selected
One-time retrieval Use this configuration if you want a one-time pull to ingest alerts based on historic events.
When configured, a profile is used once to retrieve triggered alerts including alerts from historical events that are based on a date range. To the right of the Since date field, click the calendar icon. In the calendar that is displayed, select the date that you want to start pulling alerts. Starting with the Since date value, triggered alerts are retrieved up through the current date.
After the alerts are pulled, this setting will not retrieve triggered alerts for this profile going forward from the current date. This setting populates the security incident with all the alerts that are found for the range you enter.As an example for scheduling, if you have a daily Splunk alert that runs once a day at 4 AM local time, you can set up the corresponding alert profile in your ServiceNow AI Platform instance to run at 4:05 AM local time to capture the alert right away and create a security incident. Enter 04 05 00 in the Initial alert ingestion field. In the Increment (Minutes) field, enter 1440 (24 hours) to schedule the next alert ingestion for 24 hours from the initial alert ingestion. Both the initial alert ingestion time and next alert ingestion time are displayed in the fields.