Select scheduled alerts for the Splunk Enterprise Event Ingestion integration

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 2 min. de leitura

    • After you have created a profile for a scheduled alert, select a Splunk alert for this profile that you want to map to a ServiceNow AI Platform Security Incident Response security incident.

    Antes de Iniciar

    Role required: sn_si.ingestion_profile_admin

    Nota:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Por Que e Quando Desempenhar Esta Tarefa

    View the available alerts in your ServiceNow AI Platform instance so you know which field values are available for mapping. Select an alert to verify that you receive the expected results on the basic form layout before you map the values to fields on SIR security incidents. You can only select one alert from the list in this form.

    Procedimento

    1. If the Alert Selection page is not displayed, select it on the progress bar to display it.
      By default, the core Search & Reporting App is selected.
    2. If the alert to be ingested is part of a different Splunk app, select Splunk App Selection and choose your Splunk app from the Selected App list.
    3. From the Alert List, choose an alert and move it to from the Available column to the Selected column.
      You can also choose multiple alerts. If the alerts are selected as part of a single profile, then the alerts will have common field mappings and profile settings.

      The list of alerts on this form matches the list of alerts in your Splunk console. Up to 500 alerts are displayed on this form. If there are more than 500 alerts listed in your Splunk console on the Alerts page, only the first 500 alerts are displayed on this form in your ServiceNow AI Platform instance.

      Option Description
      In the Alert List search field, enter text. The column below the search field is filtered with available options based on the text that you enter. Select an alert, and with the arrow keys, move the selected alarm from Available to Selected.
      In the Alert List, double-click an Alert. The Selected column is populated with your selection.
      In the Alert List, single-click an alarm rule. The alarm is selected. With the arrow keys, move the selected alert from Available to Selected.
      Select an alert for a scheduled event profile.
    4. Choose one option to continue.
      OptionDescription
      Continue, or alternatively, click Mapping in the progress bar The Mapping form is displayed.

      Mapping is selected on the progress bar. The next step is to map alert fields to a SIR security incident.
      Update Your data is saved and the Splunk Event Profiles list is displayed.
      Previous The Name step is displayed.
      Delete Delete this event profile and the Splunk Event Profiles list is displayed.

    O que Fazer Depois

    You have successfully selected an alert for a scheduled alert profile. The next step is map alert values to fields on a security incident.