Integrate Splunk and ServiceNow

If you were to poll the operators of today’s datacenters, they would tell you that there are two fundamental problems:

Not having enough information, and having too much, disparate information.  It is often difficult to trace the root of an enterprise wide problem without having some expertise in understanding exactly what is going on across all tiers of your technology.  It is equally difficult when you’re presented with meaningless errors across these tiers and your operators must rely upon  previous experience, or worse, there are multiple errors to correlate across different systems and no way of understanding the exact transactional or casual pattern of these events.

Splunk is here to bridge this fundamental gap in IT operations. The “ServiceNow Integration for Splunk Enterprise” app pushes any correlated search result to ServiceNow platform, as well as the next Eureka release, discussed at Knowledge14

So, what does this integration provide?

The Splunk platform combined with ServiceNow allows for operators to focus solely on the incidents which must be addressed immediately.  It also allows users to take a much deeper look into the issues, from the incident itself down to the raw logs on the systems involved.

Why would you want to integrate Splunk and ServiceNow?

Using Splunk, users can create powerful correlation rules, capable of intelligently evaluating hundreds of events across multiple domains, reflecting a single incident or event within ServiceNow.  We’ve also prepared for ServiceNow’s  Eureka release, which incorporates event management.  Search results from Splunk can produce either an event, or directly create an incident within ServiceNow.

As an example, this means that the pervious 400 incidents that were created for each VM when your storage layer had issues, is now only a single incident. With the combined intelligence of each platform, operators are presented with the singular casual incident to be addressed, instead of wasting hours fretting over the collateral damage.

Another great example of this would be splunking configuration information and measuring this against change tickets in SNow. If there is no change record for a +/- 1 hour time frame for that CI, you’ve just caught an unauthorized change and you can create an incident around it.  Fun Fact: Gartner reports that >70% of business outages are due to unauthorized changes.

While many tools will claim to have effective event management, only Splunk can function as a real-time platform for all of your data. Combined with ServiceNow, modern Operation Centers and Service Desks will have the unique ability to:

–          Suppress event storms: Splunk offers correlation across every layer of technology, no matter the format, or the environment.  Data generated across the infrastructure is stored in Splunk, and only the meaningful events will be sent to ServiceNow.

–          Stateful Representation: The service desk will know exactly how each tier of the enterprise is functioning, and this will be reflected within the ServiceNow events and incidents.  Splunk can send ‘clear’ events or update the existing incident to measure outage durations, severities or calculate an SLA down to the second.

–          Interact with ServiceNow data: The ServiceNow Integration for Splunk Enterprise app not only allows data to be pushed into ServiceNow, but it can pull that data as well.  You can further analyze your incidents, alerts and events. We’ve integrated ServiceNow data within Splunk and I’ve detailed some of the analytics we perform internally within Splunk in an earlier post.

–          Cross launch functionality: Each entry in ServiceNow from Splunk will generate a hyperlink back to the raw logs themselves so that operators can dive deep, either resolving an issue quicker, or presenting the appropriate information for escalation.  All of which reduces MTTR.  Why not take it a step further and correlate configuration information within Splunk across approved change records within ServiceNow.


The ‘ServiceNow Integration for Splunk Enterprise’ offers your team unlimited opportunities.  Speak to our experts and come see all of this in action at booth 129 at Knowledge14!  You don’t want to miss out folks!

Dennis Bourg

Posted by


Join the Discussion