March 24, 2022

ServiceNow integration with Splunk: a step-by-step guide [2022 update]

Connect Splunk and ServiceNow in a few clicks thanks to our no-code integration platform.


ServiceNow Splunk integration video

Watch our short video, to see how you can integrate ServiceNow and Splunk in a few clicks using the ZigiOps connector

The importance of ITSM and Monitoring systems for growing businesses

Nowadays, companies generate astounding amounts of data and metrics digested from the connected systems across their IT ecosystems. It is then used for thorough granular analysis to help define the right path for process optimization and business growth. The best way to do that is by incorporating the type of technology that fits the needs of every occasion.

Monitoring and ITSM systems are a must. The first one helps dissect and analyze crucial metrics and KPIs. The latter ensures that the end-users needs are met, and issues are resolved. ServiceNow and Splunk Enterprise fit the criteria. Splunk has become a fundamental tool in the tech stack of various companies in the recent decade. Its capability to accommodate real-time data helps fill in significant gaps in IT operations. ServiceNows multi-tier functionalities facilitate almost everything needed for a company to organize and strategically optimize its IT management.

The two systems are often present in the tech stack of enterprises and working together they bring numerous benefits. A ServiceNow Splunk integration could be a lifesaver in some situations, as it brings lots of competitive advantages. In this guide, we will review in detail what gains you might have from integrating Splunk with ServiceNow and the exact steps to do it.

What is Splunk?

As a popular monitoring solution, Splunk allows companies to maintain granular visibility over different recurring IT processes and operations. With Splunk, IT teams get access to a compilation of metrics and data. The tool gives actionable, real-time insights over vital information accumulated across the connected IT infrastructure systems.

In other words, Splunk Enterprise allows monitoring teams to easily search and observe data from various applications, websites, sensors, and devices connected to the internal IT ecosystem in real time. As a result, responsible teams can intervene when needed, and take preventative actions towards bottlenecks and rundowns.

Splunk main features:

  • comprehensive visualizations of the collected data through comprehensive dashboards and charts
  • a real-time overview of internal IT processes and operations
  • alerts and events, accessible for investigation in real-time
  • customization of the generated alerts (based on pre-defined user conditions and behavior)
  • reports, generated in real-time, with freshly accumulated data
  • encrypted data and reports, helping IT departments maintain high levels of security
  • easy incorporation of Splunk-generated metrics, data, and events into detailed visual charts ready for immediate analysis
  • real-time observation of the health status of the system and reporting functionalities

Advantages of using Splunk:

  • The presence of a detailed data-based report consisting of different interactive charts and tables. That allows IT teams to perform high-level segmentation and get a better understanding of their IT ecosystem.
  • A flexible and scalable monitoring solution
  • Easy to implement and collaborate with other add-ons and plug-ins, present in the IT tech stack
  • A smart search feature with saved searched queries capabilities

What is ServiceNow?

ServiceNow is a multi-functional business solution. Depending on the needs, the ServiceNow platform is often deployed as a SaaS to help deal with the entire chain of IT operations management. Thanks to ServiceNow, communication, and collaboration between them happen instantly.

Internal data and metrics resources are shared in real-time. That eliminates any possibility of data gaps, misunderstandings between different team members, and human-related errors. Being highly agile, ServiceNow helps IT departments instantly enhance their workflows and level-up overall performance. Tracking and analysis of customer issues happen immediately cutting costs and retaining high levels of customer satisfaction.

ServiceNow is a multi-functional business solution. Depending on the needs, the ServiceNow platform is often deployed as a SaaS to help deal with the entire chain of IT operations management. Thanks to ServiceNow, communication, and collaboration between them happen instantly.

Internal data and metrics resources are shared in real-time. That eliminates any possibility of data gaps, misunderstandings between different team members, and human-related errors. Being highly agile, ServiceNow helps IT departments instantly enhance their workflows and level-up overall performance. Tracking and analysis of customer issues happen immediately cutting costs and retaining high levels of customer satisfaction.

Benefits of the ServiceNow platform:

easy customization of each of its modules

real-time analysis and reports based on the collected data

enhanced traceability of issue root causes

separate modules allow being subsequently deployed to fit the need for scalability

high level of security

automation of workflows and optimization processes of crucial tasks and activities

easy integration with other systems already present in the enterprises tech kit

helps boost productivity and avoid mishaps along the IT tasks chain

Why integrate ServiceNow and Splunk?

Companies, especially large-scale ones, accumulate a vast quantity of data, metrics, and KPIs which need to be dissected and examined. Tools like Splunk and ServiceNow possess all the necessary characteristics and features to answer those business needs. That is the main reason behind their solid presence in almost every IT ecosystem of mid-to large-scale enterprises.

The two help responsible IT teams handle a large amount of disparate data and use it to resolve client-related queries before they have escalated.

Without Splunk ServiceNow Integration in place

Despite being present among the tools incorporated in the companys IT infrastructure, Splunk and ServiceNow are not always connected. Splunk and ServiceNow teams work separately, and the data transfer between them happens manually. That may lead to various errors and a certain degree of misunderstanding on critical problems. In that case, slowdowns are not uncommon and often affect the end-user experience.

Takeaways: The lack of a connection between ServiceNow and Splunk leads to:

  • there are delays and responsible team members might miss out on critical alerts
  • silos are formed
  • productivity suffers
  • manual transfer of data leads to errors
  • critical issues might not get resolved on time
  • etc.

With a solution to handle the ServiceNow Splunk Integration

The Splunk ServiceNow integration elevates the communication and data flow between their users and speeds up their work. That happens while the two teams continue to work with the system of their choice. Manual work is also eliminated.

All the data accumulated is automatically transferred from one integrated system to the other and vice versa. The data is accompanied by its corresponding details. That saves time and effort and cuts expenses. Both teams workflows are optimized in a way that allows them to prioritize tasks, track the source of issues and remediate them as soon as possible.

What are the most significant benefits of the Splunk ServiceNow integration?

  • transfers only preferred data between the two systems
  • overview of each functional layer of the enterprise IT ecosystems by the Service desk team
  • outage durations, severities, and SLAs are instantly detected and sent for investigation
  • easy push-and-pull of data between Splunk and ServiceNow
  • enhanced cross-team collaboration and communication
  • screening updates on critical events, incidents, and alerts in real-time

Why use ZigiOps for ServiceNow Splunk integration?

ZigiOps is an advanced, out-of-the-box integration platform. It does not require specific technical skills from its users to be deployed. That makes the ZigiOps connector a preferred solution for expanding organizations. ZigiOps instantly connects Splunk and ServiceNow, thus automating critical tasks and operations and diminishing any possibility of information leaks.

Fully customizable, the ZigiOps ServiceNow Splunk integration allows for the smooth log of Splunk events as ServiceNow events and Splunk alerts to ServiceNow incidents.

Benefits of using the ZigiOps no-code integration platform

The ZigiOps connector fits even the most specific integration needs of organizations from mid- to large-scale ones. The integration solution offers a large list of basic and advanced functionalities for each system customers would like to connect. In just a few clicks and under 5 minutes, the ZigiOps users get access to a large library of integration templates, execute the instant transfer, and sync of various entities and their correlated details. Unlike most of its competitors, ZigiOps comes without limitations of the number of users an important feature the majority of large companies seek. The connectors flexibility and reliability make it a perfect tech stack fit for enterprises that aim to scale. Here are the top features, the ZigiOps integration platform brings:

No-code integrations in a few clicks employees without a technical background can set up their integrations

Innovative data mappings the feature helps users easily match all fields (custom/regular/related ones). Customizations of the list of settings are also available.

Extreme scalability and agility users are able to integrate their systems in minute, as well as instantly update the ones they already have.

An out-of-the-box solution that does not require the deployment of any additional applications and systems to establish a fully functional system connection

Security ZigiOps does not store any of the data thats been transferred between the connected systems

Constant availability and reliability

[Feel free to check out ZigiOpssproduct page to learn more about the integration platforms features and ability. Also, you can book an explanatory demo and have our tech experts explain in detail what ZigiOps is and how it can help you resolve your use case.]

In the next section, we will discussthe most common use cases for Splunk ServiceNow integration. If you have a specific or more complex use case, you can contact our team and book an individual demo.

Benefits of the ZigiOps Splunk ServiceNow integration?

  • Smooth streamline of data transfer between Splunk and ServiceNow
  • Fully customizable workflows with chained and dependent actions
  • No additional coding experience or API knowledge required
  • Data synchronization in real-time with your monitoring tools
  • Flexible workflows for alluse case scenarios, even the most comprehensive ones
  • High availability features and an advanced retry mechanism for error handling

The most common ServiceNow Splunk use case

There are a few scenarios to back up the need for Splunk ServiceNow integration. It is usually tied up to transfer ServiceNow events as Splunk events. One of the IT teams in the company works with Splunk to keep a close eye on vital data, while another relies on ServiceNow to cope with arising incidents and incoming client requests.

When deployed as an integration tool, ZigiOps fetches all the data discovered by Splunk and transfers it directly to ServiceNow. ZigiOps can sync various data types like alerts, incidents, CMDB CIs, change requests, and custom records.

The integration platform reads the schema dynamically and can transfer all related and custom fields, available in Splunk and ServiceNow, respectively.

Whenever Splunk events get an update, ZigiOps fetches them and immediately updates ServiceNow. That helps synchronize Splunk Enterprise and ServiceNow and keeps them up to date.

Splunk ServiceNow integration set-up using ZigiOps step by step

  1. The first step of our Splunk ServiceNow integration is installing the ZigiOps platform (if youre using the on-prem version of the tool).

If you want to learn more details, check out the ZigiOps connector documentation for its requirements and installation procedures. ZigiOps is available as an iPaaS and on-premises. When used on-premises, the tool requires less than five minutes to complete its installation. Being a no-code platform, no additional coding is needed. The fact that it does not store any data from its connected systems makes ZigiOps highly secure and reliable.

Once logged-in, ZigiOps takes us directly to its Dashboard. The systems dashboard contains significant integration information health statuses of integrated systems, licenses, along with other technical details.

Connecting to ServiceNow

The first step of the ServiceNow Splunk integration is to connect the two systems to ZigiOps. Lets start with ServiceNow. With ZigiOps, connecting to the ServiceNow platform is easy and requires a few clicks:

  • Log into your ZigiOps instance.
  • Go to Connected Systems Add New System ServiceNow and set the following parameters:
  • Server URL Input the URL of your instance. For example,
  • Username Input the username of the ServiceNow user.
  • Password Input the password for the above ServiceNow user.
  • Proxy Settings Enables the usage of a proxy server if needed.
  • Examine the settings and if they are correct, click the Save button to save the system.

And thats it. Once the required information is filled, ZigiOps automatically checks if it has established a successful connection with ServiceNow. If yes, it will show a notification.

Additionally, ZigiOps fetches ServiceNows metadata and loads all available fields. As a result, our ServiceNow Splunk integration will happen quick and easy.

Connecting to Splunk

Connecting ZigiOps and Splunk Enterprise happens in a similar way to the ServiceNow connection. However, we start with generating an API token in Splunk Enterprise:

  • Log in to your instance.
  • Go to the Settings Data Inputs menu.
  • Create an HTTP Event Collector entry.
  • Click on the New Token button to generate a token.

Then, we can proceed with the connection:

  • Log into your ZigiOps instance.
  • From the Connected Systems Add New System Splunk and configure the following parameters:
  • Password Input the password of the above user.
  • API Token Input the API token that you generated earlier.
  • Proxy Settings Enables the usage of a proxy server.
  • Examine the settings and if they are correct, click the Save button to save the system.

Proceeding with the Splunk ServiceNow integration

Once ZigiOps has successfully established connection with both Splunk and ServiceNow, we can continue with the integration itself. This requires its actual configuration.

ZigiOps comes with a large library of ready-to-use templates. This saves time and effort. All templates can additionally be configured to fit the current use case. If needed, ZigiOps allows for creating a template from scratch.

Splunk ServiceNow Integration configuration

After choosing and loading the ServiceNow Splunk integration template from the ZigiOps template library there are few additional settings that require our attention. In our example we will be transferring ServiceNow incidents as Splunk events. The ZigiOps UI will guide us, and here are the simple steps to initiate the integration:

  • Put ServiceNow as a source system
  • Point Splunk Enterprise as a destination
  • Define the ServiceNow entity type incident
  • Select the entity type from Splunk Enterprise events

Defining which system is first and which second is crucial. It speaks to ZigiOps in what direction the data flows and how.

Next, we must point out the additional information we intend to sync along with the incident in the ZigiOps correlation menu. The fields can be customized to answer even the most sophisticated integration needs.

The schema for the two systems loads immediately, and we can choose the entities and fields we need easily, without the need to remember them or type them manually.

For each system configuration, there is a Correlation menu with additional information on the systems. It allows us to see the information in the fields of integrated systems, plus the data we aim to sync. Additional fields can be synced, too. The correlation menu allows for two-way updates and determines the correlation logic on the ZigiOps connector.

ServiceNow Splunk integration actions

Collecting the ServiceNow incident

ZigiOps uses trigger conditions to search and collect newly-created ServiceNow incidents either listening or polling. In our case, we only have the polling option. It tells ZigiOps on what time period to scan for new ServiceNow incidents seconds, minutes, hours, days, etc. Once set, the connector will perform this action automatically at the predefined interval.

The trigger conditions are fully customizable. Their purpose is to tell the ZigiOps systems on what interval and what conditions need to be met, so that the integration platform should seek new data in ServiceNow.

Create an Event in Splunk

Based on the conditions we have already set for the ServiceNow incidents, The ZigiOps connector will collect them and easily create events in Splunk. Once we have defined the trigger action (polling), its interval and type, ZigiOps will know exactly when to create new Splunk events.

Additional fields such as trigger name and value can also be filled in for more clarification on the performed action.

We also have the option to define our own expressons and use them in our conditions. This is done through the Expressions section. You can see detailed information about expressions and how to define them here.

We can add more than one expression:

Mapping the ServiceNow incident to Splunk event

ZigiOps advanced capabilities offer us to dig even deeper into our Splunk ServiceNow integration and specify to the smallest detail the exact data we want to transfer between the two connected systems by sorting it out:

  • Source
  • Time
  • Status
  • Description
  • Host
  • Metadata
  • Impact
  • Index
  • Etc.

With those settings in place, our ServiceNow Splunk integration is practically ready. We must click on the Save button in the upper right corner to activate the systems connection.


The combination between monitoring and a service desk software solution in the IT ecosystems of any enterprise is a prerequisite for success. The union ensures that any arising problem (either customer-related or internal) will be timely investigated and resolved. With the Splunk ServiceNow integration rundowns, bottlenecks and possible communication misunderstandings are minimized and even eliminated at all. As a result, no critical issues or escalations of end-user requests affect the overall IT performance of the company. Utilizing solutions like Splunk and ServiceNow can help with the latter especially if they are connected and their data synced. Their integration allows the automatic transfer of important information between the teams using them, without fearing possible data gaps and errors.

ZigiOps instantly completes the ServiceNow integration with Splunk no time wasted in additional coding or deployment of additional apps. Monitoring and service desk teams collaboration happens smoothly, issues are resolved timely and there are no delays in updates on crucial customer activities.

Choose smart integration book a demo with the ZigiOps team today.

Share this with the world

Related resource:

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. View our Cookie Policy for more information