Splunk UDP integration configuration fields
Summarize
Summary of Splunk UDP Integration Configuration Fields
This document provides details on the configuration fields required for setting up a Splunk UDP integration for Health Log Analytics. Understanding these fields is crucial for successful integration and log management.
Show less
Key Features
- Integration Name: A unique identifier for your integration, crucial for differentiation.
- MID Server Name: Specifies the MID Server that pulls log data; must support basic authentication.
- Port: The designated port for the MID Server; ensure it's opened by your security team.
- Description: Optional field for providing additional context about the integration.
- Transport: Indicates the protocol for streaming log messages, which is UDP in this case.
Advanced Settings
- Lookup Hostnames: Enables DNS lookup to resolve IPs to hostnames; default is disabled.
- Sub Sample Receive Ratio: Configures the ratio of logs received; default is set to no logs.
- Character Encoding: Specifies the encoding for data inputs, with UTF-8 as the default.
- Drop if Queue is Full: Allows logs to be discarded under load on the MID Server.
- Sub Sample Drop Ratio: Sets the ratio of logs to drop; default is set to no logs.
- Max Length in Bytes: Determines the maximum size of log messages, default is 32766 bytes.
- Default Timezone: Defines the timezone for events when not specified, with GMT as the default.
Key Outcomes
By configuring these fields correctly, ServiceNow customers can ensure effective log ingestion and management, optimizing the performance of their Health Log Analytics integration.
Description of the fields on the Splunk UDP integration configuration forms for Health Log Analytics.
For the Splunk UDP integration setup procedure, see Set up a Splunk UDP integration for Health Log Analytics.
| Field | Description |
|---|---|
| Integration Name | Unique name of this integration. For example: My Splunk UDP integration. This field is required. Note: When you fill in this field, the generic name displayed on the form adjusts automatically to match the name you entered. |
| MID server name | MID Server to which log data from Splunk is pulled. This field is required. Note:
|
| Port | The port for the MID Server. This field is required. Note: Make sure that your organization’s security team opens the selected port on the MID Server. |
| Description | Option to add a brief description of the integration to help identify it. |
| Transport | The protocol used for streaming log messages to your ServiceNow instance: UDP. This field is read-only. |
| Field | Description |
|---|---|
| Lookup hostnames | Option to perform DNS lookup to resolve IPs to hostnames. The default value is false. |
| Sub sample receive ratio | The ratio of logs to receive. The default value is -1: no logs are received. For example: If you want one out of every five logs to be received, change the value to 5. |
| Character encoding | The character encoding for this data input. The default value is UTF-8. This field is read-only. |
| Drop if queue is full | Option to discard logs if there is a load on the MID Server. |
| Sub sample drop ratio | The ratio of logs to drop. The default value is -1: no logs are dropped. For example: If you want one out of every five logs to be dropped, change the value to 5. |
| Max length in bytes | The maximum length of log messages in bytes. The default value is 32766. |
| Default timezone | The time zone of events that the system will use if a log does not specify the time zone. By default, the system uses GMT in such cases, but you can specify a different time zone. |