Install the add-on for the Service Graph Connector for Splunk

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Install the Splunk add-on developed by ServiceNow® engineering from splunkbase to search for Windows and Linux Assets.

    Before you begin

    Role required: admin or security_admin

    Procedure

    1. Navigate to splunkbase (splunkbase) and log in.
    2. In your Splunk console, select Apps > FInd More Apps.
    3. Locate the ServiceNow Add-on for Windows and Linux Assets app and select Install.
      Note:
      You can upgrade from within the app.
    4. Follow the prompts.
    5. Optional: Navigate to Settings > Searches, reports and alerts to view when searches are scheduled.
      Note:

      You can change the schedules, but since the schedules run in a specific order and require successful completion before the next search in the list is initiated, you might prefer to leave the settings in their defaults.

      After all the searches are completed, the data is grouped from each search into a few coalesced key-value parings (kvstores) for import into your instance: asset details, asset process details, asset service details, and asset software details.

    6. Select App: Search and Reporting (search) > ServiceNow Add-on for Windows and Linux Assets.
      By default, search data is stored in the following key definitions:
      • Asset_index_macro: Index=”internal”
      • Asset_linex_Index_macro: index=”main”
      • Asset_windows_index=”main”

      If you are storing the search data for Linux and Windows in custom indexes, you must update your search macros.

    7. To update your search macros, navigate to Settings > Advanced search > Search macros > Search & Reporting (Search) > ServiceNow Add-on for Windows and Linux Assets ServiceNow_TA_windows_linux_assets
    8. On the Search macros page, update the index as required in the Definition column.
    9. Optional: Adjust workloads to specify resources for search, indexing, and other workloads.
      1. In Splunk Web, select Settings > Workload Management > Workload Rules.
      2. In the Status column, select the toggle to activate or deactivate individual workload rules.
      See Service Graph Connector for Splunk add-on for more information about target workloads and supported deployments.