ServiceNow CMDB integration with Splunk

I already wrote a blog about the functional integration of Splunk and ServiceNow (Let Splunk Enterprise and ServiceNow really work together). In there I showed how also incidents, Problems, and Changes could be better integrated and make easier to retrieve for Splunk users. In this blog, I want to spend some words especially on the ServiceNow CMDB integration within Splunk. This is obvious for me but at the moment of writing, there is no other solution than mine to do that. And the number of use cases for having this integration is enormous. And yes the CMDB is sometimes a challenge in itself, but at least you want to reuse that CMDB content AND context within Splunk.

We definitely should bother about the CMDB as I described in one of my earlier posts Splunk and CMDB/CMS/IT4IT blog series part 1: Why should we bother?. In fact, I do think that this is becoming more and more relevant the more organizations are doing “in the cloud”!

What is this “ServiceNow CMDB integration with Splunk” about?

ServiceNow is used a lot in the world of Service Management. They now also see that for all of their applications they need common definitions of Configuration Items (CIs) which is why ServiceNow came up with the Common Service Data Model (CSDM). According to ServiceNow itself:

“The CSDM terms and definitions enable service reporting and provide prescriptive guidelines for service modeling within the ServiceNow® Configuration Management Database (CMDB). The CSDM data model is a CMDB framework that supports multiple configuration strategies. The data model includes guidelines for using base system tables and relationships. Many ServiceNow products depend on data within this data model.”.

For a more complete overview see: https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/csdm-implementation/concept/csdm-basics.html

But the CMDB on itself is not only for Service Management as I see it. We should be able to use the same CMDB content and context (relationships) also within Splunk (Enterprise, Cloud, ITSI, or ES) and other tooling parts of the IT4IT tooling landscape. Splunk is really good in data analytics for several different use cases but is not that powerful if you want to do some analysis on relationships or want to bring data into a hierarchy context.

That is why I developed the Common or Corporate Metadata Data Model in short CMDM.

The CMDM acts as a man in the middle between in this case ServiceNow and Splunk. Within the “Input Integrations” there is a ServiceNow CMDB integration module that inserts CMDB CIs and their relationships into the CMDM. To consume the data within the CMDM you either use the out-of-the-box graph analytics interface or use the “Splunk ServiceNow CMDB app” on Splunkbase (soon). More information about the CMDM product can be found here: Common Metadata Data Model (CMDM)

What are the benefits of this ServiceNow CMDB integration with Splunk

Really a lot. I already explained some of it on the following page: Splunk – ServiceNow. So for the already existing Splunk environment, the CMDM is already of benefit. But let me add some use cases of having the ServiceNow, Splunk, and the CMDM solution:

• Make an Agile way of working possible. Most organizations have experienced that to make the agile way of working possible they have to use Splunk in the operations space. With Splunk, teams can really focus on the things that they have on their plate without worrying about where their monitoring or data is.
• Enable Digital Transformation. With this comes a lot of data and dependencies of all sorts of services. With the increase in data becomes the need to bring that in context.
• Adopting IT4IT Reference Architecture. The backbone of the IT4IT Reference Architecture is the service or digital product model. These are containing all sorts of objects during their value stream lifecycle. Splunk is perfectly suited to have all the data of those objects. The CMDM brings the IT4IT data model context to it. Without using Splunk you miss the boat of the Application/DevOps teams as they need to work with the IT4IT otherwise the whole IT4IT falls into an administration-only corner.
• Enabling SOC with up-to-date content and context. Often we see the SOC working with spreadsheets filled with relationship details. That spreadsheet is often filled with assets and some extra information about owners or where they belong to. Most SOCs in the world trust the Splunk SIEM solution so it makes sense to transform those spreadsheets into live up-to-date information that is usable for its content and context.
• Increase adoption and quality of CMDB. I strongly believe that once CMDB data can be used by all sorts of teams they see the benefit of a high-quality CMDB and as such want to help with doing that. And a lot of Application or DevOps teams are using Splunk for their data analytics or monitoring. So it makes sense to provide them with their CMDB data.
• Fraud analytics. For doing all sorts of fraud analytics you not only need data but especially context. And again Splunk is very well suited to contain all sorts of underlying data but it needs a CMDM solution to bring it all in context and to be alerted.
• User Behaviour Analytics. Again it is about relationships (context) as with UBA one wants to spot “strange” behavior. One can think of behavioral patterns in email traffic or where users are login.
• Bringing data in context. Within Splunk, you have a lot of data. With the CMDM solution someone can query the system with something like: give me the data for the given service, or give me all application data for my business unit, or what Splunk knowledge objects are related to what other Splunk knowledge objects.
• Adding metadata to data. The CMDM can be automatically searched by Splunk at “search” time making it possible to add CMDB-related fields on the fly.

As you are reading this post it means your organization is using or planning Splunk and probably already using ServiceNow CMDB.

Want to know what this means for your organization

If you’re interested in knowing more about what this integration can bring for your organization please fill in the below form and I will be in contact soon.