Splunk data input configuration fields

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Data Input Configuration Fields

    This guide details the configuration fields for setting up Splunk data inputs within ServiceNow, specifically in the Yokohama release. It covers both basic and advanced settings required to stream Splunk logs efficiently to your ServiceNow instance via a MID Server, ensuring proper data ingestion, transport, and processing.

    Show full answer Show less

    Basic Configuration

    • Data input name: Required field for naming the new data input.
    • Description: Optional field to describe the data input’s purpose.
    • MID Server: Required selection of a MID Server supporting basic authentication (mTLS-enabled MID Servers are excluded). The default limit is 10 data inputs per MID Server but can be adjusted in MID Server properties.
    • Port: Required port number on the MID Server. Coordination with your security team is necessary to ensure this port is open.
    • Transport Protocol: Choose between TCP (ensures all logs arrive but may block if MID Server is down) or UDP (avoids blocking but may drop logs). TCP is the default.
    • Use Cooked Data: Option to ingest preprocessed ("cooked") Splunk log data preserving embedded contextual information, eliminating the need to modify Splunk props.conf and transforms.conf files.
    • Use Forwarder TimeZone: Adjusts log timestamps according to the forwarder’s time zone, important when using Splunk Universal Forwarders.
    • Enable Compression: Compresses log data to reduce transfer size; requires SSL/TLS enabled and applies to Universal Forwarders.

    Advanced Configuration

    The advanced form allows fine-tuning the data input with these key fields and defaults:

    • Use SSL/TLS: Enables secure transport; mandatory for compression.
    • Look up hostnames: Option to resolve IP addresses to hostnames via DNS (default: false).
    • Boss thread count: Number of threads managing connections (default: 1).
    • Worker thread count: Number of threads handling incoming data (default: 4).
    • Read timeout seconds: Duration before closing idle channels (default: 30 seconds).
    • Default timezone: Time zone applied when logs lack timestamp zones (default: GMT).
    • Sub sample drop/receive ratio: Controls event sampling; default values are -1, meaning no sampling.
    • Max length in bytes: Maximum log message size (default: 32,766 bytes).
    • Character encoding: Encoding for the data input (default: UTF-8).
    • Drop if queue is full: Option to discard logs if MID Server load is high, protecting system stability.

    Practical Considerations for ServiceNow Customers

    When configuring Splunk data inputs, ensure that:

    • You select a MID Server that supports the necessary authentication and has capacity for your data inputs.
    • Your security team opens the required ports on the MID Server to allow data streaming.
    • You choose the appropriate transport protocol based on your tolerance for data loss versus pipeline blocking.
    • Compression and SSL/TLS settings are used together to optimize secure data transfer.
    • Advanced parameters are adjusted only if needed, to optimize performance and resource utilization.

    Following these guidelines enables reliable and secure ingestion of Splunk logs into ServiceNow, preserving log context and ensuring efficient data flow for your operational needs.

    Description of the fields on the Splunk data input configuration form.

    Basic configuration

    Table 1. Getting Started tab
    Field Description
    Data input name Name of the new data input. This field is required.
    Description Description of the data input.
    MID Server The MID Server to which the logs stream.
    Note:
    • You can select only MID Servers that support basic authentication. MID Servers that support mTLS are not listed.
    • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
    This field is required.
    Port The port for the MID Server.

    Make sure that your organization’s security team opens the selected port in the MID Server.

    This field is required.
    Transport Protocol The protocol used for streaming log messages to your ServiceNow instance.
    • TCP - When using the Transmission Control Protocol (TCP) protocol, all logs will reach the instance. However, the Splunk pipeline might be blocked if the MID Server is down or the connection to it is lost. TCP is the default transport protocol.
    • UDP - When using the User Datagram Protocol (UDP) protocol, the Splunk pipeline will never be blocked. However, some logs might be dropped before they reach the instance.

    For more information about streaming log data using the TCP or UCP transport protocol, see the Streaming Splunk data using Heavy Forwarder: Selecting TCP or UDP [KB0998928] article in the Now Support Knowledge Base.
    Use Cooked Data Option to ingest log data from Splunk in the preprocessed ("cooked") format that Splunk uses on the forwarder.
    Ingesting data into HLA in this format ensures that each log line retains the relevant contextual information that Splunk embeds into it.
    Note:
    If you select this option, there is no need to edit the props.conf and transforms.conf files during Splunk data input configuration.
    Use Forwarder TimeZone Option to pass information about the time zone in which the forwarder is located.

    The MID Server uses this information to adjust for the time zone from which the logs arrive. This option is relevant when using Splunk Universal Forwarders.
    Enable Compression Option to send logs in compressed format.

    Sending logs in a compressed format minimizes the size of the data being transferred, which is important when dealing with large volumes of log data. This option is relevant when using Splunk Universal Forwarders and can only be used when SSL/TLS is enabled.

    Advanced configuration

    Table 2. Advanced configuration form
    Field Description Default values
    Use SSL/TLS Option for selecting to use SSL/TLS.
    Note:
    To send logs in a compressed format, SSL/TLS must be enabled.
    Look up hostnames Option for selecting to perform DNS lookup to resolve IPs to hostnames. false
    Boss thread count The number of threads that manage connections. 1
    Worker thread count The number of threads that handle incoming data. 4
    Read timeout seconds The timeout in seconds since the last read. When the timeout expires, the system closes the channel. 30
    Default timezone The default time zone of events. The system uses this default when the log does not specify a time zone. GMT
    Sub sample drop ratio The ratio of events to drop. -1
    Sub sample receive ratio The ratio of events to receive. -1
    Max length in bytes The maximum length of log messages in bytes. 32766
    Character encoding The character encoding for this data input. UTF-8
    Drop if queue is full Option for selecting to discard logs if there is a load on the MID Server.