Set up a Splunk TCP integration for Health Log Analytics

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read

    • Set up an integration to stream log messages to your ServiceNow instance over the TCP transport protocol using a Splunk heavy forwarder. Health Log Analytics processes the ingested log data.

    Before you begin

    • Verify that a MID Server is installed and configured with the Log Ingestion capability enabled. For more information, see MID Server system requirements.

      MID Server configuration with Log Ingestion capability enabled.

      Important:
      Health Log Analytics does not support IPv6. To work with the application, configure the MID Server to IPv4.
    • Unless the MID Server and external clients are on the same network, the MID Server must have a public IP address. This is required when its IP is exposed through network address translation (NAT), a load balancer, or a similar device. The public IP address enables external clients, such as Filebeat agents located outside its network, to reach the MID Server. Private IP addresses are not routable over the internet. Without a public IP, external clients cannot connect to the MID Server even if they are configured with its address. In the MID Server properties, add a property named mid.public_ip with the public IP address as the value. For more information, see Create a MID Server property. If the MID Server and external clients are on the same network, connections can be made using the private IP address.
    • For shipping your logs encrypted using SSL TLS, see the Streaming Data With Rsyslog & Filebeat Using SSL [KB0866319] article in the Now Support Knowledge Base.
    • The MID Server must support basic authentication.
      Note:
      mTLS is not supported for log ingestion.
    • No more than the default maximum of 10 integrations will stream logs to a single MID Server. You can modify the maximum number by adding the property sn.occ.log_ingestion.max_datainputs_per_mid to the MID Server and then changing the default value.

      To find out how many data inputs are streaming logs to the same MID Server, navigate to the Streaming Sources table and count the data inputs that stream to a specific MID Server.

    Role required: evt_mgmt_admin

    About this task

    You set up integrations through the Integrations Launchpad in Service Operations Workspace, which you access from the ITOM AIOps configuration center. The AIOps configuration center is a centralized workspace for configuring and managing AIOps features from a single place. The integrations setup process reduces implementation time compared to manual data input setup in the classic interface in Health Log Analytics. For more information, see Integrations Launchpad in Service Operations Workspace for ITOM.

    Procedure

    1. Navigate to Workspaces > Service Operations Workspace.
    2. From the bottom of the navigation pane, select the AIOps configuration center icon ITOM AIOps configuration center icon.
      The ITOM AIOps configuration center page appears. The configuration center is a centralized workspace. Use it to configure and manage AIOps features from a single place.
    3. From the Integrate section, under Integrations, select Add integration.
      The Integrations Launchpad appears.
    4. In the Browse integrations tab, enter Splunk in the search field.
    5. Select the Splunk TCP integration tile.
      Note:
      If you start an integration setup before meeting all prerequisites, a message appears. You can cancel the setup and complete the prior requirements first. Alternatively, you can continue in draft mode and complete the requirements later. Note that you can't activate the integration until you have completed all the prerequisites.
    6. On the Provide details form, fill in the fields.
      For a description of the fields, see the Provide details table in Splunk TCP integration configuration fields.
    7. Optional: Select Advanced settings and fill in the advanced configuration fields.
      For a description of the fields, see the Advanced settings table in Splunk TCP integration configuration fields.
    8. Select Next.
    9. Follow the procedure on the Set-up instruction screen to install the integration in the third-party console.
      Note:
      The procedure varies based on your configurations.
    10. Do one of the following:
      • If you completed all the prerequisites before starting the configuration, select Activate.

        When the integration is activated successfully, the Overview tab is displayed. On the Integrations Launchpad, the integration tile is available in the Installed integrations tab.

      • If you didn't complete all the prior requirements, select Save draft.

        The system saves the integration as a draft in the Integrations Launchpad. It appears in the Installed integrations tab, under Waiting for your action. You can complete the prerequisites and activate the integration later. For more information, see Activate a draft integration in Health Log Analytics.

    What to do next

    On the Overview tab, do the following: