Splunk Polling data input configuration fields

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Polling Data Input Configuration Fields

    This document outlines the essential fields for configuring the Splunk Polling data input, which enables users to stream log data from Splunk into ServiceNow. Understanding these fields is crucial for setting up data inputs effectively and ensuring optimal performance.

    Show full answer Show less

    Key Features

    • Name: Required field for the data input's name.
    • Description: Provides context for the data input.
    • Execute on: Choose between a specific MID Server or a MID Server cluster, both of which are required selections.
    • MID: Specifies the MID Server when executing on a specific server.
    • MID Server Cluster: Required when using a specific cluster; supports failover MID Server clusters for log ingestion.
    • Service instance: Required field that binds the log data to a specific service instance in ServiceNow.
    • Transport: Defines the protocol for streaming log messages.
    • Sources count: Indicates the number of log sources created by the data input.
    • Status: Displays the current state of the data input.
    • Last log time: Shows when the last log was received.
    • Server URL: URL for accessing the Splunk REST API.
    • Query: The specific query used by Splunk to search data.
    • Authentication Type: Options for Basic or Token authentication for security.
    • Max documents per query: Limits the number of documents retrieved at once (default is 10,000).
    • Splunk request timeout: Sets the maximum wait time for data retrieval.

    Key Outcomes

    By understanding and configuring these fields, ServiceNow customers can effectively set up Splunk Polling data inputs to ensure reliable log streaming and management. Proper configuration enhances data availability and supports operational efficiency.

    Description of the fields on the Splunk Polling data input configuration form.

    Basic configuration

    Table 1. Getting Started tab
    Field Description
    Name Name of the new data input. This field is required.
    Description Description of the data input.
    Execute on Option to select whether to use a specific MID Server or a MID Server cluster. This field is required.
    MID (Only when the Execute on field is set to Specific MID Server.)

    The MID Server to which the logs are streamed.

    This field is required.
    MID Server Cluster

    (Only when Execute on is set to Specific MID Server cluster.)

    The MID Server cluster to which the log data is pulled. This field is required.

    The data input runs on a single MID Server in the cluster until that MID Server fails. The system then moves all the data input tasks to the next available MID Server in the cluster according to the configured order.

    Note:
    • Health Log Analytics supports only failover MID Server clusters. In these clusters, multiple MID Servers are grouped together for failover protection. When selecting a cluster from the data input or integration form, the MID Server clusters list displays only failover clusters.
    • The MID Server cluster must include only MID Servers that support basic authentication. mTLS is not supported for log ingestion.
    • Log ingestion must be enabled for each MID Server in the cluster. If log ingestion is not enabled for the active MID Server, Health Log Analytics enables it automatically.
    • The default maximum number of data inputs or integrations streaming logs to a single MID Server is 10. A cluster passes capacity validation if it contains at least one MID Server with fewer than 10 data inputs or integrations running on it, even when that MID Server is down.
    For more information about MID Server clusters, see Configure a MID Server cluster.
    Service instance The service instance to which to bind the log data. This field is required.
    Note:
    If no relevant service instance exists, create a service instance and add CIs to it. Set the status of the new service instance to Operational.
    Transport The protocol used for streaming log messages to your ServiceNow instance.
    Sources count The number of log sources this data input has created.
    Status Status of the data input.
    Disabled since The time when the data input stopped or failed.
    Last log time The time when the last log streamed in the data input.

    Advanced configuration

    Table 2. Transport tab
    Field Description
    Server URL The URL used to access the Splunk REST API.
    Query The query Splunk uses to search your data.
    Authentication Type The authentication type.
    • Basic authentication: Sends a username and password with each HTTP request. Basic authentication is simpler than token-based authentication, but less secure.
    • Token authentication: The client obtains a token from an authentication server and uses that token to authenticate against Splunk.
    Splunk Poll Credential Alias The credential alias to be used.

    Specify a Splunk Poll credential alias by selecting the magnifying glass icon and then either selecting an existing credential alias from the Connection & Credential Aliases list, or selecting New to create a new record. The selected credential alias can hold one Basic Auth credential and one Token Auth credential.

    For information about creating a credential alias, see Credential aliases for Discovery.
    From The date and time from which Splunk searches the data.
    To The date and time until which Splunk searches the data.
    Table 3. Advanced tab
    Field Description
    Max documents per query The maximum number of documents retrieved each time log data is fetched from Splunk. Default: 10,000.
    Splunk request timeout (seconds) The maximum time, in seconds, allowed for data retrieval before the request times out.