Set up your Splunk environment for manual event ingestion for the Splunk Enterprise event ingestion integration

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 6 minutes to read

    • If you want to export events manually and on-demand from your Splunk Enterprise console for this integration, install and set up the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise application in your Splunk enterprise console or Splunk Cloud instance.

    Before you begin

    Verify that you have installed the application for this integration from the ServiceNow Store prior to installing the addon plugin from splunkbase that is required for manual event ingestion. If you have not installed the application for the integration from the ServiceNow Store, see Install and configure the ServiceNow application for the Splunk Enterprise Event Ingestion integration and follow the instructions to install it.

    Role required: ServiceNow AI Platform administrator (admin)

    About this task

    Installing and setting up the ServiceNow Security Operations Event Ingestion Addon is optional.

    If you want to export events manually and on-demand from your Splunk Enterprise console for the integration, download, install, and set up the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise from splunkbase in your Splunk Enterprise console.

    This ServiceNow extension addon is required so that security incidents can be created from manually exported events in your ServiceNow AI Platform instance. This ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise application is available on splunkbase.

    For manual event forwarding, you can identify up to two different ServiceNow AI Platform endpoints (instances) in your Splunk Enterprise console. You forward the events to the endpoint or endpoints manually to create security incidents. For example, you can specify both a staging (development) instance and a production instance. By specifying separate instances and naming primary and secondary workflows for each instance, you can choose where you want to forward different events.

    Procedure

    1. If you have not already installed the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise, follow these steps to install and configure it.
      1. Navigate to splunkbase.
      2. Search for the ServiceNow Security Operations Security Operations Event Ingestion Addon for Splunk Enterprise.
        Note:
        Verify that you have selected ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise. There are additional ServiceNow addons that are displayed in this list. These addons are for different ServiceNow Splunk integrations, and they are not required for this integration.
      3. Download the application.
      4. Open your Splunk Enterprise account.
      5. On the Apps page, click the gear icon or the Manage Apps shortcut on the menu drop-down list.
      6. On the upper left of the Apps page that is displayed, click Install app from file.
      7. Click Choose File, select ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise, and click Upload.
      8. If prompted, restart Splunk Enterprise.
        The ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise is installed in your Splunk Enterprise enterprise console. The next step to set up the Addon.
    2. To set up the Addon, follow these steps.
      1. In Splunk Enterprise, click the Apps gear icon or Manage Apps on the menu drop-down list.
      2. On the list of applications that is displayed, in the Actions column, click Set up for ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise.
      3. Fill out the form.
        The following figure is an example of a completed form in your Splunk Enterprise console.
        Completed form with configuration settings for ServiceNow Primary and Secondary Instances
      Field on Specify ServiceNow Primary Instance sectionDescription
      Workflow action label Name of the ServiceNow AI Platform workflow for your production (primary) instance. This name is the name of a ServiceNow AI Platform instance that your users who are monitoring Splunk events identify as a primary instance, for example, Servicenow Event Ingestion (Production).

      Default for this field is Servicenow Event Ingestion (Production).

      In your Splunk Enterprise console, this workflow name is displayed for the production (Primary) instance in the expanded Event Actions drop-down list of a search. This name is the name of your production instance. You can edit the name.
      URL The URL for the ServiceNow AI Platform instance you entered in the preceding Workflow action label field.

      Copy the URL in your browser and paste it in this field in the form.
      Endpoint Base API path. For more information, refer to the figure that follows the table.

      If you do not have a value for the endpoint of your ServiceNow AI Platform production instance, follow these steps.

      1. Log in to your ServiceNow AI Platform production instance as a user with the system administrator (admin) role.
      2. Enter Scripted REST APIs in the navigation panel.
      3. After the navigation panel is refreshed, select the Scripted REST APIs module that is displayed.
      4. If Event Ingestion is not listed in the Name column of the Scripted REST APIs list that is displayed, in the search field at the top, enter Event Ingestion.
      5. In the Base API path column on the refreshed page, copy this value and paste it in the Endpoint field on the form. An example base api path is, /api/sn_sec_splunk_v2/event_ingestion.
      Username User name for your ServiceNow AI Platform instance. This name is the user name for the ServiceNow AI Platform instance in which you assigned a user with the (sn_sec_splunk_v2.api_account_access) role for manual event forwarding.

      For more information about assigning this role, see Set up your ServiceNow AI Platform instance for the Splunk Enterprise Event Ingestion integration.
      Password Password for your ServiceNow AI Platform instance.

      This password is the password for the ServiceNow AI Platform instance in which you assigned a user with the (sn_sec_splunk_v2.api_account_access) role for manual event forwarding.
      (Optional) Fields on Specify ServiceNow Secondary Instance section Description

      These fields are optional. You are not required to specify a secondary instance.
      Workflow action label Name of the ServiceNow AI Platform workflow for your secondary (staging) instance. This name is the name of a ServiceNow AI Platform instance that your users who are monitoring Splunk events identify as a secondary instance, for example, ServiceNow Event Ingestion (Staging).

      In your Splunk Enterprise console, this workflow name is displayed for the staging (Secondary) instance in the expanded Event Actions drop-down list of a search. This ServiceNow AI Platform instance is your staging instance. You can edit the name.
      URL The URL for the ServiceNow AI Platform instance you entered in the preceding Workflow action label field for the secondary ServiceNow AI Platform instance.

      Copy the URL in your browser and paste it in this field in the form.
      Endpoint Base API path. This value for the Base API path for your secondary instance is the same value as the Base API path for your primary instance. See the preceding figure of the form for more information.
      Username Username for your ServiceNow AI Platform staging instance. The user must have the (sn_sec_splunk_v2.api_account_access) role.
      Password Password for your ServiceNow AI Platform staging instance. The user must have the (sn_sec_splunk_v2.api_account_access) role.
      The following figure is an example of the Scripted REST APIs list in your ServiceNow AI Platform. The list displays the location of the endpoint value of a ServiceNow AI Platform instance that you enter in the form as part of the set up for the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise extension in your Splunk Enterprise console.
      Figure 1. Scripted REST APIs list in the ServiceNow AI Platform
      Base API path highlighted.
    3. In the setup form in your Splunk Enterprise console, click Save to save your edits.

      After a few moments, at the top left of the form in your Splunk Enterprise console, a message is displayed that the record is successfully updated.

      After you save the form, the names (Workflow action labels) for your ServiceNow AI Platform instance(s) that you created in the form are available from the Event Actions choice list on a selected event of a search in your Splunk Enterprise console.

    What to do next

    If you have not already save searches in your Splunk Enterprise console, the next step is to save searches as alerts in your Splunk Enterprise console.