Splunk Add-on for Evanios Operations - Evanios

Overview

Splunk Add-on for Evanios allows you send alerts into the Evanios application on ServiceNow through the EVAgent. When the agent is configured, Splunk will send any trigger alerts into the agent and the agent will forward them into Evanios Operations through a rest call.

Integration Architecture

Splunk Add-on for Evanios needs to be installed on Splunk and it must have the update set installed on ServiceNow. This will allows you to create an Evanios action on your queries, which will send data into Evanios running on ServiceNow. This works similar to the Splunk webhook application but instead allows you to send data via our agent, creating a new event on ServiceNow.

Splunk ServiceNow Integration

Event Structure

A Splunk-specific event table is created named u_splunk_events, which is an extension of the base event table u_event. The Splunk Events table adds fields to the base table that are unique to Splunk. These extended fields are described in the table below, along with the corresponding Splunk field names.

ServiceNow Table Field Field Description
u_splunk_indextime Index Time
u_splunk_index Index
u_splunk_source Source
u_splunk_searchterms Search Terms
u_splunk_dispatchcontent Dispatch Content
u_splunk_linecount Linecount
u_splunk_splunkserver Splunk Server
u_splunk_sourcetype SourceType
u_splunk_serial Serial
u_splunk_host Host
u_splunk_time Time
u_splunk_raw Raw
u_splunk_eventtype Event Type
u_splunk_sid Event SID
u_splunk_fulljson FullJSON
u_splunk_resultlink Result Link
u_splunk_owner Owner
u_splunk_app App
u_splunk_methodreceived Method Received(EVA, Processor)

Installation and Configuration

Evanios Operations Configuration Steps

This section will describe the steps to set up the Evanios Splunk application on ServiceNow to receive events.

Download and Install the Update Set

  1. Download the Evanios_Splunk_<date>.zip from the Evanios download site.
  2. Create a Command Line Integration Type on the Integration Detail List on Evanios Agent.
  3. Once created, we configure our splunk app to use this port and PassKey

Splunk Configuration Steps

Download and Install the Splunk App

  1. Install the app on Splunk
    • Install the evanios_alerts.spl in your Splunk environment by downloading it from Splunkbase.
  2. Configure the alert actions to use the Passkey and Port we created.

Creating Evanios Actions

Create an alert action and set the severity you want on the event to be created on ServiceNow. It also supports Splunk tokens.

Support for Splunk Webhook Application

Webhook Setup

Evanios also has support for the splunk native webhook application if you decide to not use the evanios splunk application. Here is how it works.

  1. Create an alert on splunk add the webhook action img
  2. Configure the url to use: https://{yourserver}.service-now.com/splunkcloud.do
in Evanios Operations4. Packaged Integrations

Related Articles

Get started now
Book Demo

Book Demo