Install and configure Splunk Enterprise Security Notable Event Ingestion integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Install and configure Splunk Enterprise Security Notable Event Ingestion integration for Security Operations application from the ServiceNow Store on your ServiceNow AI Platform® instance.

    Before you begin

    Role required: ess_analyst

    Assign a Security Analyst (ess_analyst) user role in Splunk ES to perform all integration-related activities on the Splunk server.

    About this task

    Procedure

    1. If you have not installed the Splunk Enterprise Security Event Ingestion application from the ServiceNow Store for the integration, see Install a Security Operations integration and follow the steps to install it.
    2. After you have successfully installed the application, navigate to All > Security Operations > Integrations > Integration Configurations.
    3. Search for Splunk Enterprise Security- Event Ingestion tile, and select Configure.
    4. On the form, fill in the fields.
      FieldDescription
      Name Name of the Splunk Enterprise Security console or Splunk Cloud instance used for the integration.

      Spaces are supported for names, but parentheses are not supported. For example, enter SplunkES2.
      Splunk API Base URL URL for your Splunk Enterprise Security console or Splunk Cloud instance. The URL should include the API port, for example: https://mysplunkserver.com:8089
      Basic Authentication Default is disabled.

      If you are using API Account User Name and API Password for configuration, enable the check box.
      API Account User Name User name that you created for your API user account on the Splunk Enterprise Security console.
      API Password Password that you created for your API user account on the Splunk Enterprise Security console.
      Token Based (available from version 12.0.0) Token that you created for your API user account on the Splunk Enterprise Security console.
      Token Token that you created for your API user account on the Splunk Enterprise Security console.
      On Premises Deployment Default is disabled.

      If you’re using an on-premise based version of Splunk Enterprise Security, verify that this check box is selected.
      MID Server Option to choose a particular MID Server to set up in your environment, which will be used by this integration to pull notable events into ServiceNow.
      You can select a specific MID Server from the list or select Any to enable an auto-selection of a valid MID Server from the list for this integration.
      Note:
      • The MID Server selected during this configuration time applies throughout this integration.
      • Only MID Servers that are active and validated are displayed on this list. By default, the value is set to Any.

      For example, there are three MID Servers A, B, and C. If you select Any, then one of these MID Servers is auto-selected and applies throughout this integration. If you select a specific MID Server, say C, then the selected MID Server C applies throughout this integration.

      If you want to change the MID Server, then you have to reconfigure it from the App Configuration tile.

      Each Splunk Enterprise Security notable event type that you ingest from your Splunk Enterprise Security incident review console requires a unique event profile in your ServiceNow AI Platform® instance. However, the source that you configure on the Event Ingestion Configuration form can be reused for multiple ServiceNow AI Platform® profiles as long as each profile ingests unique notable event types.

    5. Select Submit.
      The configured integration tile displays.

    What to do next

    Create and name an event profile for the Splunk Enterprise Security event ingestion integration