Set up ServiceNow Event Ingestion Integration add-on

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 3 minutes de lecture

    • Install and set up the ServiceNow Event Ingestion Integration add-on in your Splunk enterprise console or Splunk Cloud instance.

    Avant de commencer

    Important :

    Create a Manual event forwarding profile to forward alerts on-demand from your splunk console to create a Security Incident Response (SIR) on the ServiceNow instance. For more information, see Create and name an event profile and implement same for Splunk V2.

    This add-on setup is necessary to enable manual event forwarding for the Splunk profile. Up-to two configurations can be created for a particular add-on. (Splunk Primary and Splunk Secondary)

    Verify that you have installed the application for this integration from the ServiceNow Store before installing the add-on plugin from splunkbase that is required for manual event ingestion. If you have not installed the application for the integration from the ServiceNow Store, see Install and configure the ServiceNow application for the Splunk Enterprise Event Ingestion integration and follow the instructions to install it.

    Role required: ServiceNow AI Platform administrator (admin)

    Pourquoi et quand exécuter cette tâche

    If you want to export events manually and on-demand from your Splunk console for the integration, download, and set up the ServiceNow Event Ingestion Integration add-on from Splunkbase in your Splunk console.

    This ServiceNow extension add-on is required so that security incidents can be created from manually exported events in your ServiceNow AI Platform instance. This ServiceNow Event Ingestion Integration add-on is available on splunkbase.

    For manual event forwarding, you can identify up to two different ServiceNow AI Platform endpoints (instances) in your Splunk Enterprise console. You forward the events to the endpoint or endpoints manually to create security incidents. For example, you can specify both a staging (development) instance and a production instance. By specifying separate instances and naming primary and secondary workflows for each instance, you can choose where you want to forward different events.

    Procédure

    1. If you have not already installed the ServiceNow Event Ingestion Integration add-on, follow these steps to install and configure it.
      1. Download ServiceNow Event Ingestion Integration add-on from Splunkbase.
      2. If prompted, restart the Splunk Enterprise.
        The ServiceNow Event Ingestion Integration add-on is installed in your Splunk Enterprise enterprise console. The next step is to set up the Add-on.
    2. To set up the Addon, follow these steps.
      1. In the Splunk Enterprise, select Manage Apps gear icon on the menu drop-down list.
      2. On the list of applications that is displayed, in the Actions column, select Set up for ServiceNow Event Ingestion Integration.
        The ServiceNow Event Ingestion Integration add-on is configured into three different tabs.
        • Splunk Primary: The default or primary Splunk configuration.
        • Splunk Secondary: (Optional) The backup or second Splunk configuration.
        • Logging Level: The level of reporting logs generated by the integration, meaning the name of the type of information.
      3. On the form, fill in the fields.
        Field Description
        Workflow action label Name of the instance.

        This will be an action in the drop-down of Event Actions for alerts in the Splunk console.
        URL URL of the ServiceNow instance you entered in the preceding workflow action label field.
        Endpoint Base API path.

        Default for this field is: /api/sn_sec_splunk_v2/event_ingestion.
        Auth type Authentication method to be used for API requests. The available options include:
        • Basic Authentication: Uses username and password to authenticate requests.
        • OAuth 2.0 Authentication: Uses access tokens to authenticate requests.
        Basic Authentication
        Username Username of the user.

        User with the (sn_sec_splunk_v2.api_account_access) role should be present in the instance specified in the preceding URL field for manual event forwarding.
        Password Password of the user.

        User with the (sn_sec_splunk_v2.api_account_access) role should be present in the instance specified in the preceding URL field for manual event forwarding.
        OAuth 2.0 Authentication
        Client Id Client ID of the app created in the ServiceNow instance.

        For information on how to get the Client ID, see Configure Application Registry on the ServiceNow instance.
        Client Secret Client Secret of the app created in the ServiceNow instance.

        For information on how to get the Client Secret, see Configure Application Registry on the ServiceNow instance.
        Redirect URL

        Copy and paste this URL in the redirect URL field of the Application Registries record.

        ServiceNow Event Ingestion Integration set up on Splunk

      4. Select Save.
      5. Select the Splunk Secondary tab.
      6. On the form, fill in the fields.
        Fields are same as in the Splunk Primary tab.
      7. Select Save.
        Remarque :
        Up-to two configurations can be created for a particular add-on.(Basic Authentication and another OAuth 2.0 Authentication)
      8. Select the Logging Level tab.
      9. On the form, fill in the fields.
        Tableau 1. Logging level
        Field Description
        Log Level The level of reporting logs generated by the integration, meaning the name of the type of information. You can also update the value to the following options:
        • info
        • error
        • warn
        • debug

        By default, the value is info.
      10. Select Save.

    Que faire ensuite

    Using ServiceNow Event Ingestion Integration add-on