ServiceNow
Integrate ServiceNow as a data source in the Observo AI pipeline using the dedicated Splunk HEC Source. Configure ServiceNow to forward ITSM, security, and operational data directly to Observo AI's ServiceNow-specific HTTP endpoint for real-time analysis, correlation, and intelligent routing to downstream systems.
Purpose
The Observo AI ServiceNow integration leverages a dedicated Splunk HEC Source to enable organizations to ingest IT service management data, security events, and operational metrics from ServiceNow instances. This integration provides ServiceNow-specific configurations and supports real-time data collection with enhanced security features, enabling comprehensive monitoring, analysis, and correlation with other data sources in the Observo AI platform.
How it works
The ServiceNow integration works by configuring ServiceNow to send data to Observo AI's dedicated Splunk HEC Source using webhooks or outbound REST messages. ServiceNow can forward various types of data including:
Incident Records: IT service desk tickets and service requests
Security Events: Security incident response and vulnerability data
CMDB Updates: Configuration item changes and relationships
Performance Metrics: Service health and performance data
Audit Logs: Administrative actions and system changes
Table-specific Data: Data from specific ServiceNow tables like sys_audit, syslog, incident, change_request
When data is received, Observo AI processes it through its AI-powered pipeline, enabling enrichment, transformation, and intelligent routing based on configured rules.
Authentication Requirements
Permissions Required
ServiceNow Admin Access: To configure webhooks and outbound integrations
Integration User: Dedicated ServiceNow user with appropriate roles for data access
Network Connectivity: Outbound HTTPS access from ServiceNow to Observo AI
Authentication Methods
The ServiceNow Source supports multiple authentication methods:
Basic Authentication: Username and password for HTTP Basic Auth
API Token: Authentication via ServiceNow API tokens
Combined Authentication: Support for both username/password and API token
IP Allowlisting: Restrict incoming connections to specified ServiceNow instance IPs
Instance Validation: ServiceNow instance identifier validation for additional security
Prerequisites
Observo AI Platform Setup
The Observo AI platform must be installed and operational
ServiceNow Source must be available and configured
Network endpoint accessible from ServiceNow (public IP or properly configured NAT/firewall rules)
Valid SSL/TLS certificate for HTTPS endpoints (recommended for production)
ServiceNow Configuration Requirements
ServiceNow Instance: Access to a ServiceNow instance with admin privileges
Integration User: Dedicated service account with appropriate roles
Outbound Connectivity: Ability to send HTTP/HTTPS requests to external systems
Required Plugins: Ensure necessary plugins are activated (e.g., IntegrationHub, Web Services)
Instance Identifier: ServiceNow instance name for validation
Network and Connectivity
Firewall Rules: Allow inbound HTTPS traffic on configured port (range: 1-65535)
Load Balancer (Optional): For high availability and traffic distribution
DNS Resolution: Proper DNS configuration for Observo AI endpoint FQDN
Observo AI Platform
Must support ServiceNow Source
ServiceNow Version
New York or later recommended
Authentication
Basic Auth, API tokens, or combined
Network Connectivity
Outbound HTTPS from ServiceNow
SSL Certificate
Valid certificate for HTTPS endpoints
Port Range
1-65535 for ServiceNow source
Integration
Step 1: Configure Observo AI ServiceNow Source
Configure the Splunk HEC Source
Step 2: Configure ServiceNow Webhook
Access ServiceNow
Log in to your ServiceNow instance with admin privileges
Navigate to System Web Services > Outbound > REST Message
Create New REST Message
Click New
Name:
Observo AI ServiceNow IntegrationEndpoint:
https://your-observo-instance:10091/servicenowAuthentication Type:
Basic(if using username/password) orOAuth 2.0(if using API token)Username:
servicenow_user(if using basic auth)Password:
[secure-password](if using basic auth)HTTP Method:
POST
Configure HTTP Headers
Name:
Content-TypeValue:
application/jsonName:
Authorization(if using API token)Value:
Bearer [servicenow-api-token]
Test Connection
Click Test to verify connectivity to Observo AI
Check the response for success
Create Scripted REST API (For Custom Integrations)
Navigate to System Web Services > Scripted REST APIs
Create a new Scripted REST API
Define resources and scripts to forward data to Observo AI
Step 3: Configure Data Forwarding
Using ServiceNow Notifications
Navigate to System Notification > Email > Notifications
Create a new notification
Set Type to
WebhookConfigure the webhook to point to your Observo AI ServiceNow endpoint
Using ServiceNow Flow Designer
Navigate to Flow Designer
Create a new flow triggered by record events
Add a REST step to forward data to Observo AI
Configure error handling and retries
Using ServiceNow Event Management
Navigate to Event Management > Connections
Create a new connection to Observo AI
Configure event forwarding rules
Example Configuration
ServiceNow Source Configuration Example
{
"source_name": "servicenow-production",
"source_type": "ServiceNow Logs",
"config": {
"address": "0.0.0.0:10091",
"servicenow_instance": "company",
"auth": {
"username": "observo_integration",
"password": "[secure-password]",
"token": "[api-token]"
},
"encoding": "json",
"method": "POST",
"path": "/servicenow/events",
"allowed_source_ips": ["192.168.1.0/24", "10.0.0.1"],
"allowed_tables": [
"sys_audit",
"syslog",
"incident",
"change_request",
"sys_user"
]
}
}ServiceNow Webhook Configuration
// Sample Script Include for Outbound REST Message
var sendToObservo = function (record, tableName) {
try {
var r = new sn_ws.RESTMessageV2(
"Observo AI ServiceNow Integration",
"default post"
);
// Set request body with record data and table information
var requestBody = {
event: "record_updated",
table: tableName,
record: record,
source: "servicenow",
instance: "company",
timestamp: new Date().toISOString(),
};
r.setRequestHeader("Content-Type", "application/json");
r.setRequestBody(JSON.stringify(requestBody));
// Execute the request
var response = r.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
if (httpStatus != 200) {
gs.error("Failed to send data to Observo AI: " + responseBody);
return false;
}
return true;
} catch (ex) {
gs.error("Error in sendToObservo: " + ex.message);
return false;
}
};Troubleshooting
Common Issues
401 Unauthorized
Invalid credentials
Verify username/password/API token in ServiceNow and Observo AI match
403 Forbidden
IP address not allowed
Check allowed_source_ips configuration
404 Not Found
Incorrect endpoint URL
Check the path in ServiceNow webhook configuration
422 Unprocessable Entity
Table not allowed or instance mismatch
Verify allowed_tables and servicenow_instance configuration
Connection refused
Firewall blocking or service not running
Verify network connectivity and Observo AI service status
SSL Handshake failed
Certificate validation error
Ensure valid SSL certificates are configured
No data received
Webhook not triggering or data not being sent
Check ServiceNow logs and webhook configuration
Diagnostic Steps
Test ServiceNow Source Endpoint
curl -X POST https://your-observo-instance:10091/servicenow/events \ -H "Content-Type: application/json" \ -u "username:password" \ -d '{ "test": "connection", "source": "servicenow", "instance": "company", "table": "sys_audit" }'Test with API Token
curl -X POST https://your-observo-instance:10091/servicenow/events \ -H "Content-Type: application/json" \ -H "Authorization: Bearer [api-token]" \ -d '{ "test": "connection", "source": "servicenow", "instance": "company" }'Check ServiceNow Logs
Navigate to System Logs > System Log > All
Filter for "webhook" or "Observo"
Verify Observo AI Logs
Check ServiceNow source logs for incoming requests
Look for authentication, IP filtering, or table validation errors
Security Features
IP Address Filtering
Configure allowed_source_ips to restrict access to known ServiceNow instance IP addresses:
"allowed_source_ips": [
"192.168.1.100",
"10.0.0.0/24",
"203.0.113.0/24"
]Table Access Control
Use allowed_tables to limit which ServiceNow tables can send data:
"allowed_tables": [
"sys_audit",
"syslog",
"incident",
"change_request",
"problem",
"sys_user"
]Instance Validation
Set servicenow_instance to validate that incoming data is from the expected ServiceNow instance.
Best Practices
Security
Always use HTTPS with valid certificates
Implement IP allowlisting for additional security
Use API tokens for authentication when possible
Rotate authentication credentials regularly
Configure instance validation
Performance
Batch events when possible to reduce HTTP requests
Monitor ServiceNow source metrics for performance issues
Consider load balancing for high-volume environments
Use table filtering to reduce unnecessary data
Data Management
Only forward necessary data to Observo AI
Use allowed_tables to restrict data sources
Monitor data volume and adjust filtering as needed
Include table information in payloads for better processing
Resources
Support
For assistance with the ServiceNow integration:
ServiceNow Support: Contact ServiceNow support for issues with webhooks or REST messages
Observo AI Support: Open a support ticket for ServiceNow source configuration
Network Team: For connectivity or firewall issues
Last updated: January 2025
Last updated
Was this helpful?