Key terms used in this integration

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key terms used in this integration

    This document outlines essential terms relevant to the integration between ServiceNow and Splunk, which is crucial for effective installation and configuration. Understanding these terms will assist in leveraging the integration for security incident management and data analysis.

    Show full answer Show less

    Key Features

    • ServiceNow AI Platform: A foundational enterprise product that supports various components including Security Incident Response (SIR) and IT Service Management (ITSM).
    • ServiceNow Splunkbase Addon: An application installed on the Splunk Enterprise Security console that allows manual event forwarding; however, it is not necessary for automated notable event ingestion.
    • Security Incident Response (SIR): A ServiceNow application for managing the lifecycle of security incidents from detection to resolution.
    • Splunk Enterprise Security: A premium solution providing organizational visibility and security intelligence, requiring a paid license.
    • Notable Event: An event identified by correlation searches that indicates security incidents or patterns.
    • Splunk Event: Data elements that contribute to notable events, which can trigger security incidents in ServiceNow.
    • MID Server: Facilitates data communication between the ServiceNow AI Platform and external services, necessary for on-premises integrations.
    • Security Incident Admin (snsi.admin): The role responsible for configuring the integration with the SIR product.
    • Security Incident Analyst (snsi.analyst): The role responsible for interacting with and analyzing security incidents within the SIR product.

    Key Outcomes

    By understanding these key terms, ServiceNow customers can effectively navigate the integration with Splunk, ensuring enhanced security incident management and streamlined data processing. This knowledge empowers users to configure their systems properly and leverage the full capabilities of both platforms.

    This section describes some of the key terms used in this integration.

    The following key terms are used during the installation and configuration. For more information about these terms, see the ServiceNow Product Documentation website and the Splunk website and resources on Splunk Resources page.

    ServiceNow AI Platform
    An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components such as Security Incident Response (SIR), IT Service Management (ITSM), and other products are built.
    ServiceNow Splunkbase Addon
    A ServiceNow application that is installed on your Splunk Enterprise Security console that supports the manual event forwarding option of the integration. Manual event forwarding is an optional feature of the integration. This ServiceNow Splunkbase add-on is not required for the automated notable event ingestion that is provided by the integration which pulls events from Splunk.
    Security Incident Response (SIR)
    A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
    Splunk Enterprise Security
    Splunk Enterprise Security helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk. Splunk Enterprise Security is a premium security solution requiring a paid license. This service is on a host or a Splunk cloud offering that is referred to as a Splunk console in this guide.
    Splunk Enterprise Security notable event
    When a correlation search identifies an event or a pattern of events, it creates a notable event. Correlation searches filter the security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events.
    Splunk event
    One or more data elements that result in the notable events of the Splunk service. From your ServiceNow AI Platform instance, you can look up which Splunk events triggered ServiceNow AI Platform security incidents.
    MID Server
    This application facilitates communication and movement of data between the ServiceNow AI Platform and external applications, data sources, and services. This application is typically required for integration with on-premises technologies, and, for this Splunk Enterprise Security event ingestion integration, the MID Server facilitates communication between the ServiceNow AI Platform and the on-premises instance of Splunk Enterprise Security. A MID Server is not required if you are integrating your ServiceNow AI Platform instance with a Splunk Cloud instance.
    Security incident admin (sn_si.admin)
    The user with this role oversees the configuration of the integration with the SIR product in your ServiceNow AI Platform instance.
    Security incident analyst (sn_si.analyst)
    The user with this role interacts with and analyzes security incidents in the ServiceNow Security Incident Response product.