Splunk data input configuration fields
Summarize
Summary of Splunk data input configuration fields
This document details the configuration fields available for setting up Splunk data inputs within ServiceNow, specifically for the Zurich release. It explains the required and optional parameters on both the basic and advanced configuration forms that enable efficient log data streaming from Splunk to ServiceNow via a MID Server.
Show less
Basic configuration
- Data input name: Required field to name the new data input.
- Description: Optional description of the data input.
- MID Server: Required selection of a MID Server that supports basic authentication (mTLS-enabled servers are excluded). The default limit is 10 data inputs per MID Server, adjustable in MID Server properties.
- Port: Required port number on the MID Server. Coordination with your security team is necessary to ensure the port is open.
- Transport Protocol: Choose between TCP (default, ensures delivery but risks blocking if MID Server is down) and UDP (avoids blocking but may drop logs).
- Use Cooked Data: Option to ingest preprocessed ("cooked") Splunk log data, preserving embedded contextual information without requiring manual prop edits.
- Use Forwarder TimeZone: When enabled, adjusts log timestamps based on the forwarder's timezone; relevant for Splunk Universal Forwarders.
- Enable Compression: Compresses log data to reduce transfer size; requires SSL/TLS and applies to Universal Forwarders.
Advanced configuration
The advanced form allows fine-tuning of the data input with parameters including:
- Use SSL/TLS: Option to secure data transfer; mandatory for compression.
- Look up hostnames: Option to resolve IP addresses to hostnames via DNS (default is false).
- Boss thread count: Number of threads managing connections (default 1).
- Worker thread count: Number of threads handling incoming data (default 4).
- Read timeout seconds: Channel closure timeout after inactivity (default 30 seconds).
- Default timezone: Timezone used if event logs lack timezone info (default GMT).
- Sub sample drop ratio and receive ratio: Controls sampling of logs; defaults set to -1 (no sampling).
- Max length in bytes: Maximum size of individual log messages (default 32766 bytes).
- Character encoding: Encoding of data input, default UTF-8.
- Drop if queue is full: Option to discard logs when MID Server load is high to prevent overload.
Practical benefits for ServiceNow customers
Configuring these fields correctly enables ServiceNow to efficiently ingest and process Splunk log data through MID Servers, balancing reliability, performance, and security considerations. Understanding protocol choices, compression, and timezone handling helps optimize log data streaming according to organizational needs. Advanced thread and timeout settings offer scalability and stability under varying load conditions.
Description of the fields on the Splunk data input configuration form.
Basic configuration
| Field | Description |
|---|---|
| Data input name | Name of the new data input. This field is required. |
| Description | Description of the data input. |
| MID Server | The MID Server to which the logs stream. Note: This field is required.
|
| Port | The port for the MID Server. Make sure that your organization’s security team opens the selected port in the MID Server. This field is required. |
| Transport Protocol | The protocol used for streaming log messages to your ServiceNow instance.
For more information about streaming log data using the TCP or UCP transport protocol, see the Streaming Splunk data using Heavy Forwarder: Selecting TCP or UDP [KB0998928] article in the Now Support Knowledge Base. |
| Use Cooked Data | Option to ingest log data from Splunk in the preprocessed ("cooked") format that Splunk uses on the forwarder. Ingesting data into HLA in this format ensures that each log line retains the relevant contextual information that Splunk embeds into it. Note: If you select this option, there is no need to edit the props.conf and transforms.conf files during Splunk data input
configuration. |
| Use Forwarder TimeZone | Option to pass information about the time zone in which the forwarder is located. The MID Server uses this information to adjust for the time zone from which the logs arrive. This option is relevant when using Splunk Universal Forwarders. |
| Enable Compression | Option to send logs in compressed format. Sending logs in a compressed format minimizes the size of the data being transferred, which is important when dealing with large volumes of log data. This option is relevant when using Splunk Universal Forwarders and can only be used when SSL/TLS is enabled. |
Advanced configuration
| Field | Description | Default values |
|---|---|---|
| Use SSL/TLS | Option for selecting to use SSL/TLS. Note: To send logs in a compressed format, SSL/TLS must be
enabled. |
|
| Look up hostnames | Option for selecting to perform DNS lookup to resolve IPs to hostnames. | false |
| Boss thread count | The number of threads that manage connections. | 1 |
| Worker thread count | The number of threads that handle incoming data. | 4 |
| Read timeout seconds | The timeout in seconds since the last read. When the timeout expires, the system closes the channel. | 30 |
| Default timezone | The default time zone of events. The system uses this default when the log does not specify a time zone. | GMT |
| Sub sample drop ratio | The ratio of events to drop. | -1 |
| Sub sample receive ratio | The ratio of events to receive. | -1 |
| Max length in bytes | The maximum length of log messages in bytes. | 32766 |
| Character encoding | The character encoding for this data input. | UTF-8 |
| Drop if queue is full | Option for selecting to discard logs if there is a load on the MID Server. |