Splunk Polling data input configuration fields

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Polling Data Input Configuration Fields

    This documentation details the configuration fields for setting up Splunk Polling data inputs within the ServiceNow Zurich release. It guides customers through both basic and advanced setup options to enable efficient log data streaming from Splunk into ServiceNow, ensuring reliable integration and data ingestion for Health Log Analytics.

    Show full answer Show less

    Basic Configuration

    • Name: Mandatory identifier for the new data input.
    • Description: Optional text describing the data input.
    • Execute on: Required selection between a specific MID Server or a MID Server cluster for running the data input.
    • MID Server / MID Server Cluster: Based on the Execute on choice, select a specific MID Server or a failover cluster. Clusters ensure continuity by transferring tasks if one MID Server fails. Clusters must support basic authentication (mTLS unsupported) and have log ingestion enabled.
    • Service Instance: Required field binding the log data to a ServiceNow service instance, which must be operational and contain relevant configuration items (CIs).
    • Transport: Defines the protocol used for streaming logs to ServiceNow.
    • Sources Count, Status, Disabled Since, Last Log Time: Provide operational insights such as the number of log sources created, current status, and timestamps of last activity or failure.

    Advanced Configuration

    Transport Tab

    • Server URL: The Splunk REST API endpoint for data retrieval.
    • Query: Splunk search query to specify which data to retrieve.
    • Authentication Type: Choice between Basic Authentication (username/password) or Token Authentication (secure token-based). Basic is simpler; token based is more secure.
    • Splunk Poll Credential Alias: Select or create a credential alias that stores credentials for authentication. It supports one Basic Auth and one Token Auth credential.
    • From / To: Defines the time range for Splunk data searches.

    Advanced Tab

    • Max Documents per Query: Limits the number of documents retrieved per fetch. Defaults to 10,000 to balance performance and data volume.
    • Splunk Request Timeout (seconds): Maximum allowed time for data retrieval before the request times out, ensuring system responsiveness.

    Practical Implications for ServiceNow Customers

    By correctly configuring these fields, customers can establish a robust connection between Splunk and ServiceNow, enabling efficient and reliable ingestion of log data for analytics. Understanding MID Server clustering and authentication options is critical for maintaining high availability and security. The ability to set query parameters and time ranges allows precise control over data imported from Splunk.

    This configuration supports Health Log Analytics by ensuring logs are streamed efficiently, failover is handled automatically, and authentication is managed securely, providing customers with timely and accurate log data within their ServiceNow environment.

    Description of the fields on the Splunk Polling data input configuration form.

    Basic configuration

    Table 1. Getting Started tab
    Field Description
    Name Name of the new data input. This field is required.
    Description Description of the data input.
    Execute on Option to select whether to use a specific MID Server or a MID Server cluster. This field is required.
    MID (Only when the Execute on field is set to Specific MID Server.)

    The MID Server to which the logs are streamed.

    This field is required.
    MID Server Cluster

    (Only when Execute on is set to Specific MID Server cluster.)

    The MID Server cluster to which the log data is pulled. This field is required.

    The data input runs on a single MID Server in the cluster until that MID Server fails. The system then moves all the data input tasks to the next available MID Server in the cluster according to the configured order.

    Note:
    • Health Log Analytics supports only failover MID Server clusters. In these clusters, multiple MID Servers are grouped together for failover protection. When selecting a cluster from the data input or integration form, the MID Server clusters list displays only failover clusters.
    • The MID Server cluster must include only MID Servers that support basic authentication. mTLS is not supported for log ingestion.
    • Log ingestion must be enabled for each MID Server in the cluster. If log ingestion is not enabled for the active MID Server, Health Log Analytics enables it automatically.
    • The default maximum number of data inputs or integrations streaming logs to a single MID Server is 10. A cluster passes capacity validation if it contains at least one MID Server with fewer than 10 data inputs or integrations running on it, even when that MID Server is down.
    For more information about MID Server clusters, see Configure a MID Server cluster.
    Service instance The service instance to which to bind the log data. This field is required.
    Note:
    If no relevant service instance exists, create a service instance and add CIs to it. Set the status of the new service instance to Operational.
    Transport The protocol used for streaming log messages to your ServiceNow instance.
    Sources count The number of log sources this data input has created.
    Status Status of the data input.
    Disabled since The time when the data input stopped or failed.
    Last log time The time when the last log streamed in the data input.

    Advanced configuration

    Table 2. Transport tab
    Field Description
    Server URL The URL used to access the Splunk REST API.
    Query The query Splunk uses to search your data.
    Authentication Type The authentication type.
    • Basic authentication: Sends a username and password with each HTTP request. Basic authentication is simpler than token-based authentication, but less secure.
    • Token authentication: The client obtains a token from an authentication server and uses that token to authenticate against Splunk.
    Splunk Poll Credential Alias The credential alias to be used.

    Specify a Splunk Poll credential alias by selecting the magnifying glass icon and then either selecting an existing credential alias from the Connection & Credential Aliases list, or selecting New to create a new record. The selected credential alias can hold one Basic Auth credential and one Token Auth credential.

    For information about creating a credential alias, see Credential aliases for Discovery.
    From The date and time from which Splunk searches the data.
    To The date and time until which Splunk searches the data.
    Table 3. Advanced tab
    Field Description
    Max documents per query The maximum number of documents retrieved each time log data is fetched from Splunk. Default: 10,000.
    Splunk request timeout (seconds) The maximum time, in seconds, allowed for data retrieval before the request times out.