Setup ServiceNow Security Operations Event Ingestion Addon for Splunk ES

  • Release version: Xanadu
  • Updated September 23, 2025
  • 4 minutes to read

    • The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES enables seamless integration between Splunk and ServiceNow Security Operations, allowing you to send security-related events from Splunk to ServiceNow security incident. For detailed instructions on downloading and installing the Addon, follow the steps outlined in this guide.

    Before you begin

    Verify that you have installed the application for this integration from the ServiceNow Store prior to installing the addon plugin from splunkbase that is required for manual event ingestion. If you have not installed the application for the integration from the ServiceNow Store, see Install and configure the ServiceNow application for the Splunk Enterprise Event Ingestion integration and follow the instructions to install it.

    Role required: ServiceNow AI Platform administrator (admin)

    About this task

    Important:

    Create a Manual event forwarding profile to forward events on-demand from your Splunk Enterprise Security console to create a Security Incident Response (SIR) on the ServiceNow instance. For more information, see Create and name an event profile for the Splunk Enterprise Event Ingestion integration.

    This add-on setup is necessary to enable manual event forwarding for the Splunk profile. Up to two configurations can be created for a particular add-on. (Splunk Primary and Splunk Secondary)

    For manual event forwarding, you can identify up to two different ServiceNow AI Platform endpoints (instances) in your Splunk Enterprise console. You forward the events to the endpoint or endpoints manually to create security incidents. For example, you can specify both a staging (development) instance and a production instance. By specifying separate instances and naming primary and secondary workflows for each instance, you can choose where you want to forward different events.

    Procedure

    1. If you have not already installed the ServiceNow Security Operations Event Ingestion Add-on for Splunk ES, follow these steps to install and configure it.
      1. Download the ServiceNow Security Operations Event Ingestion Add-on for Splunk ES from Splunkbase.
      2. If prompted, restart the Splunk Enterprise.
        The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES is installed in your Splunk Enterprise enterprise console. The next step is to set up the Add-on.
    2. To set up the Add-on, follow these steps.
      1. In the Splunk Enterprise, select Manage Apps gear icon on the menu drop-down list.
      2. In the list of applications, search for ServiceNow apps using the filter.
      3. Look for the ServiceNow Security Operations Event Ingestion Add-on for Splunk ES, and select the corresponding Set up action.
        The ServiceNow Security Operations Event Ingestion Add-on for Splunk ES is configured into three different tabs.
        • Splunk Primary: The default or primary Splunk configuration.
        • Splunk Secondary: (Optional) The backup or second Splunk configuration.
        • Logging Level: The level of reporting logs generated by the integration, meaning the name of the type of information.
      4. Select the Splunk Primary tab.
      5. On the form, fill in the fields.
        Table 1. Splunk Primary
        Field Description
        Workflow action label Name of the instance.

        This will be an action in the drop-down of the Event Actions in Enterprise Security.
        URL URL of the ServiceNow instance you entered in the preceding workflow action label field.
        Endpoint Base API path.

        Default for this field is: /api/sn_sec_splunkes/notable_event_ingestion.
        Auth type Authentication method to be used for API requests. The available options include:
        • Basic Authentication: Uses username and password to authenticate requests.
        • OAuth 2.0 Authentication: Uses access tokens to authenticate requests.
        Basic Authentication
        Username Username of the user.

        User with the (sn_sec_splunkes.api_account_access) role should be present in the instance specified in the preceding URL field for manual event forwarding.

        For more information about assigning this role, see Set up your ServiceNow AI Platform instance for the Splunk Enterprise Event Ingestion integration.
        Password Password of the user.

        User with the (sn_sec_splunkes.api_account_access) role should be present in the instance specified in the preceding URL field for manual event forwarding.
        Confirm Password Re enter the password to confirm it.
        OAuth 2.0 Authentication
        Client Id Client ID of the app created in the ServiceNow instance.

        For information on how to get the Client ID, see Configure Application Registry on the ServiceNow instance.
        Client Secret Client Secret of the app created in the ServiceNow instance.

        For information on how to get the Client Secret, see Configure Application Registry on the ServiceNow instance.
        Redirect URL

        Copy and paste this URL in the redirect URL field of the Application Registries record.
      6. Select Save.
      7. Select the Splunk Secondary tab.
      8. On the form, fill in the fields.
        Fields are same as in the Splunk Primary tab.
      9. Select Save.
        Note:
        Up to two configurations can be created for a particular add-on.(Basic Authentication and another OAuth 2.0 Authentication)
      10. Select the Logging Level tab.
      11. On the form, fill in the fields.
        Table 2. Logging level
        Field Description
        Log Level The level of reporting logs generated by the integration, meaning the name of the type of information. You can also update the value to the following options:
        • info
        • error
        • warn
        • debug

        By default, the value is info.
      12. Select Save.

    What to do next

    Using ServiceNow Security Operations Event Ingestion Add-on for Splunk ES