Integration architecture and external systems connection for the Splunk Enterprise Event Ingestion integration

Release version: Australia

Updated March 12, 2026

5 minutes to read

Summarize

Summarized using AI

Summary of Integration architecture and external systems connection for the Splunk Enterprise Event Ingestion integration

This integration enables ServiceNow customers to ingest triggered alerts from their Splunk Enterprise console into the ServiceNow AI Platform, specifically for use with Security Incident Response (SIR). The integration supports both automated alert ingestion and an optional manual event forwarding feature via a ServiceNow Splunkbase Addon installed on the Splunk console. The architecture involves a MID Server facilitating communication between ServiceNow and on-premises Splunk instances, while connections to Splunk Cloud do not require a MID Server.

Show full answer Show less

Key Features

Triggered Alerts Ingestion: Pulls triggered alerts and associated events from Splunk into ServiceNow to create or update security incidents.
Event Profiles: Configurable containers defining criteria for pulling alerts from Splunk and mapping alert fields to SIR incident fields. Profiles support scheduling and activation for continuous alert ingestion.
Aggregation: Optionally aggregates new alerts into existing security incidents based on matching criteria to avoid duplicate incident creation.
ServiceNow Splunkbase Addon: Supports manual event forwarding as an optional feature, not required for automated ingestion.
Export/Import Profiles: Enables copying of event ingestion profiles between ServiceNow instances to streamline setup and reuse configurations.
Integration Connectivity: Requires an outbound HTTPS connection from the MID Server to Splunk for data retrieval via the Splunk API.
Support for Multiple Architectures: Supports connections to on-premises Splunk with one or multiple MID Servers, as well as Splunk Cloud instances without a MID Server.

Practical Setup and Usage

Install and configure the ServiceNow Event Ingestion Integration add-on on the Splunk console or Splunk Cloud.
Create and configure event profiles in ServiceNow to specify the criteria for alert retrieval and field mappings for SIR incidents.
Schedule alert retrieval and activate profiles to enable automated ingestion of historical and ongoing alerts.
Use roles such as snsi.admin and snsi.ingestionprofileadmin to manage integration settings and ingestion profiles.
Use the script editor within the integration to customize how Splunk alert fields map to SIR incident fields.
Save searches in Splunk with appropriate alert configurations to ensure correct alerts are ingested.

Key Outcomes

Automated ingestion of Splunk triggered alerts into ServiceNow Security Incident Response enables faster and more efficient incident tracking and management.
Field mapping customization ensures that security incidents in ServiceNow contain all necessary information from Splunk alerts.
Aggregation options reduce noise by consolidating related alerts into existing incidents, improving analyst efficiency.
Flexible connectivity options support diverse deployment scenarios including on-premises and cloud environments.
Profile export/import capability facilitates consistent configuration across multiple ServiceNow instances.

The following topic outlines the integration architecture developed to support the ingestion of triggered alerts from the Splunk Enterprise console. This information clarifies, at a high level, the conceptual operation of the integration. It also explains why there are setup steps that are required prior to installing the application from the ServiceNow Store.

Key terms used for this integration

The following key terms are used during the installation and configuration. For more information about these terms, see the ServiceNow Product Documentation website and the Splunk website and resources on Splunk Resources page.

ServiceNow AI Platform: An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components such as Security Incident Response (SIR), IT Service Management (ITSM), and other products are built.
ServiceNow Splunkbase Addon: A ServiceNow application that is installed on your Splunk Enterprise console that supports the manual event forwarding option of the integration. Manual event forwarding is an optional feature of the integration. This ServiceNow Splunkbase addon is not required for the automated alert ingestion that is provided by the integration.
Security Incident Response (SIR): A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
Splunk Enterprise: An automated security incident event management (SIEM) product or cloud service that collects data used for incident analysis and management. This service is on a host that is sometimes also referred to as a Splunk console in this guide.
Splunk alert: A search that you configure and save in Splunk to scan for specific data based in the parameters you set up in the Splunk Enterprise service. When you pull alerts from Splunk, you also pull all the events associated with that alert.
Splunk triggered alert: A configured search in the Splunk Enterprise console that returns results and flags these results as triggered alerts. The triggered alerts are ingested from the Splunk console into your ServiceNow AI Platform instance for this integration. Triggered alerts have one or more Splunk events.
Splunk event: One or more data elements that result in the triggered alerts of the Splunk service. From your ServiceNow AI Platform instance, you can look up which Splunk events triggered ServiceNow AI Platform security incidents.
MID Server: This application facilitates communication and movement of data between the ServiceNow AI Platform and external applications, data sources, and services. This application is typically required for integration with on-premises technologies, and, for this Splunk Enterprise Event Ingestion integration, the MID Server facilitates communication between the ServiceNow AI Platform and the on-premises instance of Splunk Enterprise. A MID Server is not required if you are integrating your ServiceNow AI Platform instance with a Splunk Cloud instance.
Security incident admin (sn_si.admin): The user with this role oversees the configuration of the integration with the SIR product in your ServiceNow AI Platform instance.
Security incident analyst (sn_si.analyst): The user with this role interacts with and analyzes security incidents in the ServiceNow Security Incident Response product.
Security incident profile admin (sn_si.ingestion_profile_admin): The user with this role configures the plugin, create, edit, delete and maintain ingestion profiles for Azure Sentinel, Splunk and Splunk ES Integration for the SIR product in your ServiceNow AI Platform instance.

External systems connection

An event profile is a container that you create, name, and configure for a singular connection and call to the Splunk service to pull the most current triggered alerts that match specific criteria. After triggered alerts that match your profile have been pulled from Splunk, you select which of these alerts you want displayed as a ServiceNow AI Platform Security Incident Response SIR security incident. A default view of the Splunk Enterprise alert fields is available, and you edit this mapping of alert fields to the fields on a SIR security incident to meet your needs. You preview your mapping to verify that you have all the required alert field values populated on the SIR security incident. To complete the configuration of the alert profile, you schedule the retrieval of alerts and then activate the profile. After you activate the profile in the ServiceNow AI Platform, you are ready to ingest historical and on-going Splunk alerts automatically.

As a user with the sn_si.admin role, if you determine that a new triggered alert is similar to alerts previously ingested, you can aggregate new triggered alerts to existing SIR security incidents. You set criteria to specify matching target field values in the Splunk Enterprise alert profile that define when an existing security incident is updated and when a new security incident is created. If the aggregation feature is enabled in your event profile, when the import set is transformed, your ServiceNow AI Platform instance checks for an existing record in the target table that has the same value in the target and source fields. If an existing record with a matching value in the target table is found, that record is updated. If no matching record is found, a new record is created in the target table. If enabled, the aggregation option updates existing security incidents with new triggered alerts, and you avoid creating multiple security incidents. For more information about updating records using aggregation options, see Updating records using coalesce.

This application uses the Splunk API service to retrieve information from the Splunk service. An outbound HTTPS connection from the MID server to this environment is necessary for the integration to work properly.

After it is connected to the Splunk service, the integration supports the pulling and ingestion of triggered alerts and events that trigger security incidents.

The basic data flow is illustrated in the following figures. In each figure, your ServiceNow AI Platform is pulling (ingesting) data. Splunk is not pushing data for scheduled alerts.

Connection with single MID server. — Figure 1. Connection to on premises Splunk enterprise service with single MID server

Configuration two. — Figure 2. Connection to a Splunk enterprise cloud instance

Multiple MID servers. — Figure 3. Multiple connections to the Splunk enterprise service using multiple MID servers