Splunk TCP integration configuration fields

  • Release version: Xanadu
  • Updated April 7, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk TCP integration configuration fields

    This guide details the configuration fields available for setting up the Splunk TCP integration within ServiceNow's Health Log Analytics (HLA). It helps customers configure the connection between their Splunk log data streams and the ServiceNow instance using a MID Server. Proper configuration ensures efficient, secure log ingestion with contextual integrity.

    Show full answer Show less

    Key Fields and Their Practical Use

    • Integration Name: Assign a unique name to identify your Splunk TCP integration instance; this is mandatory and auto-updates the generic form name.
    • MID Server Name: Select a MID Server that supports basic authentication for pulling Splunk log data. Note that MID Servers with mTLS are excluded. The default max concurrent data inputs per MID Server is 10, adjustable in MID Server properties. Log ingestion is auto-enabled if not already active.
    • Port: Specify the port on the MID Server for receiving logs. Ensure this port is opened by your security team to allow data flow.
    • Description: Optional field to describe the integration for easier identification.
    • Transport: Displays the protocol used (TCP) and is read-only.
    • Use Cooked Data: Enables ingestion of logs in Splunk’s preprocessed format, preserving embedded contextual information important for accurate analysis.

    Advanced Settings for Optimization and Security

    • Use SSL/TLS: Enables encrypted log transmission for data protection. Required when sending compressed logs.
    • Lookup Hostnames: Optionally resolve IP addresses to hostnames via DNS to improve log readability; defaults to false.
    • Use Forwarder TimeZone: When using cooked data, this setting allows timezone information from the Splunk forwarder to adjust logs correctly.
    • Enable Compression: Sends logs in compressed format to reduce data transfer size, beneficial for large log volumes. Requires SSL/TLS and cooked data enabled.
    • Sub Sample Drop/Receive Ratios: Control the proportion of logs dropped or received to manage data volume; defaults to no logs dropped or received selectively.
    • Max Length in Bytes: Sets the maximum allowed size for a log message (default 32,766 bytes).
    • Character Encoding: Defines log data encoding, defaulting to UTF-8 for compatibility.
    • Boss and Worker Thread Counts: Configure threads managing connections and processing incoming data to optimize performance.
    • Read Timeout Seconds: Defines inactivity timeout for connections before closure to maintain system stability.
    • Default Timezone: Specifies timezone applied to logs lacking timezone data, defaulting to GMT but customizable as needed.
    • Drop if Queue is Full: Option to discard incoming logs when MID Server load is high to prevent overload.

    Practical Benefits

    By correctly configuring these fields, ServiceNow customers can ensure a secure, reliable, and optimized ingestion of Splunk log data into Health Log Analytics. This enables enhanced log contextualization, better performance management, and more efficient handling of large log volumes, all critical for maintaining comprehensive and actionable IT operations insights.

    Description of the fields on the Splunk TCP integration configuration forms for Health Log Analytics.

    Table 1. Provide details
    Field Description
    Integration Name Unique name of this integration. For example: My Splunk TCP integration. This field is required.
    Note:
    When you fill in this field, the generic name displayed on the form adjusts automatically to match the name you entered.
    MID server name MID Server to which log data from Splunk is pulled. This field is required.
    Note:
    • You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed.
    • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
    • If log ingestion is not enabled for the selected MID Server, Health Log Analytics enables it automatically.
    Port The port for the MID Server. This field is required.

    Make sure that your organization’s security team opens the selected port on the MID Server.
    Description Option to add a brief description of the integration to help identify it.
    Transport The protocol used for streaming log messages to your ServiceNow instance: TCP. This field is read-only.
    Use Cooked Data Option to ingest log data from Splunk in the preprocessed ("cooked") format that Splunk uses on the forwarder.

    Ingesting data into HLA in this format ensures that each log line retains the relevant contextual information that Splunk embeds into it.
    Table 2. Advanced settings
    Field Description
    Use SSL/TLS Option for selecting to use SSL/TLS, for enhanced data security and protection.
    Note:
    SSL/TLS must be enabled if you want to send logs in a compressed format.
    Lookup hostnames Option for selecting to perform DNS lookup to resolve IPs to hostnames. The default value is false.
    Use Forwarder TimeZone Option to pass information about the time zone in which the forwarder is located.

    The MID Server uses this information to adjust for the time zone from which the logs arrive.

    This option is displayed when Use Cooked Data is selected. It is relevant when using Splunk Universal Forwarders.
    Enable Compression Option to send logs in compressed format.

    Sending logs in a compressed format minimizes the size of the data being transferred, which is important when dealing with large volumes of log data.

    This option is displayed when Use Cooked Data and Use SSL/TLS are selected. It is relevant when using Splunk Universal Forwarders.
    Sub sample drop ratio The ratio of logs to drop. The default value is -1: no logs are dropped.

    For example: If you want one out of every five logs to be dropped, change the value to 5.
    Sub sample receive ratio The ratio of logs to receive. The default value is -1: no logs are received.

    For example: If you want one out of every five logs to be received, change the value to 5.
    Max length in bytes The maximum length of log messages in bytes. The default value is 32766.
    Character encoding The character encoding for this data input. Default is UTF-8.
    Boss thread count The number of threads that manage connections.
    Worker thread count The number of threads that handle incoming data.
    Read timeout seconds The timeout in seconds since the last read. When the timeout expires, the system closes the channel.
    Default timezone The time zone of events that the system will use if a log does not specify the time zone.

    By default, the system uses GMT in such cases, but you can specify a different time zone.
    Drop if queue is full Option for selecting to discard logs if there is a load on the MID Server.