Configure Splunk TCP integrations

  • Release version: Washingtondc
  • Updated April 8, 2025
  • 3 minutes to read

    • Configure an integration to stream log messages to your ServiceNow instance over the TCP transport protocol using a Splunk heavy forwarder. Health Log Analytics processes the ingested log data.

    Before you begin

    • You must have an installed and configured MID Server with the log ingestion capability enabled.

      MID Server configuration with Log Ingestion capability enabled.

    • If the MID Server IP address is exposed by network address translation (NAT), a load balancer, or a similar device, it must have a public IP address. In the MID Server properties, add a property named mid.public_ip with the public IP address as the value. For more information, see Create a MID Server property.
    • For information about shipping your logs encrypted using SSL TLS, see the Streaming Data With Rsyslog & Filebeat Using SSL [KB0866319] article in the Now Support Knowledge Base.
    • The MID Server must support basic authentication.
      Note:
      mTLS is not supported for log ingestion.
    • No more than the default maximum of 10 integrations will stream logs to a single MID Server. You can modify the maximum number by adding the property sn.occ.log_ingestion.max_datainputs_per_mid to the MID Server and then changing the default value.

      To find out how many data inputs are streaming logs to the same MID Server, navigate to the Streaming Sources table and count the data inputs that stream to a specific MID Server.

    Role required: evt_mgmt_admin

    Procedure

    1. Navigate to Workspaces > Service Operations Workspace.
    2. From the left pane, select the Integrations Launchpad icon (Integration Launchpad icon)
    3. In the Browse integrations tab, enter Splunk in the search field.
    4. Select the Splunk TCP integration tile.
      Note:
      If you started the integration process without meeting all the prerequisites listed in the Before you begin section, a message appears. You have the option to cancel the integration and complete the missing requirements, or continue in draft mode and fulfill them later. Keep in mind that you can only activate a configured integration when all the prerequisites are met.
    5. On the Provide details form, fill in the fields.
      For a description of the fields, see the Provide details table in Splunk TCP integration configuration fields.
    6. Optional: Select Advanced settings and fill in the advanced configuration fields.
      For a description of the fields, see the Advanced settings table in Splunk TCP integration configuration fields.
    7. Select Next.
    8. Follow the procedure on the Set-up instruction screen to install the integration in the third-party console.
      Note:
      The procedure varies based on your configurations.
    9. Select Save.
    10. Select Activate to activate the integration.
      Note:
      You can only activate a configured integration when you have fulfilled all the prerequisites listed in the Before you begin section.
      The integration is activated and the Overview tab is displayed.
    11. Optional: If you installed the integration in draft mode, perform these steps to activate it:
      1. Complete the integration prerequisites.
      2. In the Integrations Launchpad Installed integrations tab, under Waiting for your action, locate and select the integration.
      3. On the Set-up instruction tab, select Activate to activate the integration.

    Result

    Log data starts streaming to your ServiceNow instance. The tile for the integration is available in the Installed integrations tab on the Integrations Launchpad.

    Users with the evt_mgmt_user role can use Event Management to monitor the logs and view the alerts that Health Log Analytics generates from them.

    What to do next

    Review the log data streaming status and sources of the integration on the Overview tab. Leverage the displayed information to refine how HLA reads the log data by adjusting your integration configuration. For more information, see Review log data streaming status and sources of an integration.
    Note:
    You can go directly from this tab to the Data Input Mapping, Source Type Structures, and Log Sources pages with context from the integration. If the log data is not properly mapped, structured, or sourced, you can go back and adjust the configuration of the integration.
    1. Select the View menu icon (View menu icon.).
    2. Choose the appropriate menu option.
    3. Review the displayed information.
    4. Adjust the integration configuration if needed.