Splunk Poller integration configuration fields

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Poller Integration Configuration Fields

    The Splunk Poller integration configuration is essential for setting up the integration of Health Log Analytics with Splunk, allowing effective log data retrieval. This guide outlines the required fields and options available during the configuration process.

    Show full answer Show less

    Key Features

    • Integration Name: A unique identifier for the integration; mandatory field.
    • Execute On: Choose between a specific MID Server or a MID Server cluster for log data retrieval; this is also a required field.
    • MID Server Selection: If using a specific MID Server, ensure it supports basic authentication, as mTLS is not compatible.
    • MID Server Cluster: For specific MID Server cluster selections, the system automatically shifts data tasks to the next available server in case of failure.
    • Service Instance: Required field specifying the service instance for binding log data.
    • Data Source: Indicates that the log data source is Splunk; this is read-only.
    • REST API Server URL: Required URL for accessing the Splunk REST API, typically on port 8089.
    • Authentication Method: Use credential aliases for authentication instead of direct credential references.
    • Query: A required field defining the search query used by Splunk to retrieve logs.
    • Max Documents Per Query: Default limit set at 10,000 for the maximum documents retrieved in each query.
    • Splunk Request Timeout: Defines the maximum allowed time in seconds for a data retrieval request before timing out.

    Key Outcomes

    By properly configuring these fields, ServiceNow customers can ensure efficient and reliable log data integration from Splunk, enabling enhanced monitoring and analytics capabilities within their Health Log Analytics instance. Proper setup facilitates seamless data flow and minimizes downtime through failover processes in MID Server clusters.

    Description of the fields on the Splunk Poller integration configuration forms for Health Log Analytics.

    For the Splunk Poller integration setup procedure, see Set up a Splunk Poller integration for Health Log Analytics.

    Table 1. Provide details
    Field Description
    Integration Name Unique name of this integration. This field is required.
    Note:
    When you fill in this field, the generic name displayed on the form adjusts automatically to match the name you entered.
    Execute on Option to select whether to use a specific MID Server or a MID Server cluster. This field is required.
    MID server name

    (Only when the Execute on field is set to Specific MID Server)

    MID Server to which log data from Splunk is pulled. This field is required.
    Note:
    • You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed.
    • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
    • If log ingestion is not enabled for the selected MID Server, Health Log Analytics enables it automatically.
    MID Server Cluster

    (Only when Execute on is set to Specific MID Server cluster.)

    The MID Server cluster to which the log data is pulled. This field is required.

    The data input runs on a single MID Server in the cluster until that MID Server fails. The system then moves all the data input tasks to the next available MID Server in the cluster according to the configured order.

    Note:
    • Health Log Analytics supports only failover MID Server clusters. In these clusters, multiple MID Servers are grouped together for failover protection. When selecting a cluster from the data input or integration form, the MID Server clusters list displays only failover clusters.
    • The MID Server cluster must include only MID Servers that support basic authentication. mTLS is not supported for log ingestion.
    • Log ingestion must be enabled for each MID Server in the cluster. If log ingestion is not enabled for the active MID Server, Health Log Analytics enables it automatically.
    • The default maximum number of data inputs or integrations streaming logs to a single MID Server is 10. A cluster passes capacity validation if it contains at least one MID Server with fewer than 10 data inputs or integrations running on it, even when that MID Server is down.
    For more information about MID Server clusters, see Configure a MID Server cluster.
    Service instance The service instance (formerly the application service) to which to bind the log data. This field is required.
    Data source The source of the log data that the integration pulls to your ServiceNow instance: Splunk. This field is read-only.
    Description Option to add a brief description of the integration to help identify it.
    Table 2. Set data retrieval method
    Field Description
    REST API Server URL The URL used to access the Splunk REST API. This field is required.
    Note:
    • By default, the Splunk REST API endpoint is available on port 8089. Therefore, the default endpoint for the Splunk REST API is: http://<splunk-server>:8089.
    • The REST API endpoint is different from the front-end endpoint.
    Authentication method The credential alias to be used. This field is required.

    The Splunk integration uses credential aliases instead of direct references to credentials for authentication. The credential aliases are listed by type: aliases that contain basic auth credentials, and those that contain token auth credentials. If an alias holds both credential types, it appears in both categories.

    You can select Manage credential aliases to manage your credential aliases and create new ones in the Connection & Credential Aliases list.
    Query The query Splunk uses to search your data. This field is required.

    For example, the query sourcetype="adc_access_log" instructs the Splunk Poller integration to retrieve all logs with the source type adc_access_log.
    Table 3. Advanced settings
    Field Description
    Max documents per query The maximum number of documents retrieved each time log data is fetched from Splunk. Default: 10,000.
    Splunk Request Timeout (seconds) The maximum time, in seconds, allowed for data retrieval before the request times out.