Monitor Workflows Automatically with Splunk + ServiceNow

Written by Arun Nair

Technical Lead - ServiceNow

Discovering the Tools

Splunk is a platform where the machine-generated data from different platforms like websites, devices, and other CIs in the network can be analyzed, searched, and mapped for making sense in real-time. For example, say there is a continuous flow of data from one of the network devices, which requires it to be analyzed in real-time to take necessary action. Can Splunk help us with that? Yes. It can.

ServiceNow Event management is an offering of the Now Platform, which helps reduce the noise from different monitoring tools with the help of AIOps. In addition, the platform's machine learning is highly advanced compared to the legacy tools and capable of consolidating and taking action over the events brought in. Finally, like a cherry on the icing, it provides the impact analysis of the event to visualize the CIs involved and its course.

How to Use Them?

As the growth of machine data over the last few years was unimaginable, it's pretty clear that the world is moving towards IoT and other cutting-edge technologies out there. The data gathered from the IT infrastructure has a lot of information that can contribute to the overall productivity and efficiency. That's the purpose behind Splunk.

For one of the customers, Splunk was being used to provide analytics. They wanted to understand and identify the keywords that Splunk was capturing against their products. Here the purpose was not for triggering any alerts or automation but for keyword analysis. The data helped name and rename the products to make it easier for the customers.

Performing these operations over a huge terabyte of data is something that needs precision and efficiency. Making sense of the data log from a system is hard, most of the time. Even if it does, we end up spending a lot of time in word-by-word analysis. Machine data, to put it simply, is complex, noisy, unstructured. So instead of us, Splunk does the brainy work for us.

Once the data is analyzed and noise canceled, we need a place to push it for RCA, taking the necessary steps to prevent outages. Here comes ServiceNow's Event Management. With OOB functionalities like machine learning and Operational Intelligence, we can investigate issues in the infrastructure which may cause outages if not attended.

The Alert management helps perform the remediation, including the actions taken in the past on similar occasions. It provides the option to set up rules to automate the responses based on set conditions and criteria. For example, create an Incident or Change Request for the team to take necessary action. Even to trigger an automation to perform remediation, which was pre-built.

Splunk works well with ServiceNow, even without the Event management module. But that can cause duplicate entries as the incident is not created after going through the alert console. Instead, the operator workspace monitors the services in the environment. The Alert console keeps a watch on the alerts. It refreshes automatically as and when there is an update to the alert. You may be interested to know about Innovative Workflows with ServiceNow Service Portal.

Once the alert from Splunk is captured in the ServiceNow platform, various actions can be initiated - both manually and automatically.

For Example:

  • A similar alert occurred in the past - The approach here will be to look up the KB article associated with the previous occurrence and attach the same to the newly created incident record. This will help the Service Engineer to follow the steps performed previously without wasting any time.
  • The first occurrence alert ever - The approach here will be to identify and create Incident or Change records based on the business process. The rules can be pre-defined using which these decisions can be made. In either of the cases, the ticket can be assigned to the right team, categorized, and bucketed, eliminating multiple hops.
  • The alert can be remediated by executing certain commands or following predefined steps - The approach here will be more towards triggering the automation process already built on ServiceNow or triggering a web service call to the third-party tool to perform it if it's built on a different platform.


  • Reduced Noise, Better Understanding means Lesser Service Outages
  • Consolidation and analysis of existing infra tools event to improve Increase productivity
  • Root cause analysis and remediation at a quick pace
  • Correlation of events without the CMDB
  • Reduced human errors as the process runs based on rules and pre-defined steps
  • Find threats, determine security posture, and report on compliance through continuous security monitoring
  • Understand performance baselines


Maximize your service experience by integrating ServiceNow and Splunk. With Royal Cyber ServiceNow experts’ team, you can use high frequency of events that allows you to analyze a massive number of insights in record time. Learn how to continuously detect, monitor, remediate, and mitigate vendor risks, click here to read the full story. For more information, you can email us at [email protected] or visit

Leave a Reply