ServiceNow integration with Elasticsearch


I have a setup of ELK Stack 7.5.1 to visualize/analyse different kind of logs in our environment. Now, I have a serviceNow of tool where we raise ticket.
I want to integrate serviceNow with elasticsearch is there any direct integration available?
Please help.


Hi @tahseen_fatima - Could you tell us more about your use case and what you would expect as part of the integration with ServiceNow?

Firstly thank you for the reply.

We are using serviceNow Madrid ticketing tool,
my use case is: whoever raised a new ticket in serviceNow that ticket should automatically ingest it to elasticsearch.
After that we can able to analysize.


@tahseen_fatima Thank you for the information provided.

There is no out-of-the-box integration between Elasticsearch and ServiceNow.

I am not an expert with ServiceNow, but these ideas below could be worth exploring:

  • Use Logstash and the http_poller input plugin to retrieve data from the incident table in ServiceNow.
  • Looking at the documentation in ServiceNow, it might be possible to define a business rule when an event is triggered and use the outbound REST web service (e.g. calling Logstash / Elasticsearch APIs to ingest documents).

I hope that helps.

Thank you for the reply.

This is my logstash config file:

input {
  http_poller {
    urls => {
      url => ""
    request_timeout => 60
    #proxy => { host => "" port => "443" scheme => "http"}
    schedule => { cron => "* * * * * UTC"}
    metadata_target => "http_poller_metadata"
    codec => "json"
    user => "admin"
    password => "*****@"
output {
  stdout {
    codec => rubydebug

The output I am getting.

.base');\nvar $targets = angular.element('*[concourse-compilation-target]');\nvar bootstrapModule = angular.module('appBootstrap', window.NOW.ngLoadModules);\nangular.bootstrap(document.documentElement, []);\nscheduleCompilation($targets);\n}\nangular.element(document).ready(function() {\nsetTimeout(bootstrap)\n});\n})(angular, window);\n;\n</script></body></html>",
                    "tags" => [
        [0] "_jsonparsefailure"
    "http_poller_metadata" => {
           "times_retried" => 0,
                    "host" => "tahseen",
        "response_headers" => {
                              "expires" => "0",
                                 "date" => "Fri, 07 Feb 2020 06:40:51 GMT",
                               "pragma" => "no-store,no-cache",
                      "x-frame-options" => "SAMEORIGIN",
                         "content-type" => "text/html;charset=UTF-8",
                       "x-is-logged-in" => "false",
            "strict-transport-security" => "max-age=63072000; includeSubDomains",
                     "x-transaction-id" => "f0602b7ddb76",
                               "server" => "ServiceNow",
                      "referrer-policy" => "same-origin",
                        "cache-control" => "no-cache,no-store,must-revalidate,max-age=-1",
                    "transfer-encoding" => "chunked",
                           "set-cookie" => [
                [0] "JSESSIONID=817CE4D2BCCD20095554E7EB311FA0E8; Path=/; HttpOnly;Secure",
                [1] "glide_user=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly;Secure",
                [2] "glide_user_session=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly;Secure",
                [3] "glide_user_route=glide.d0049332062fb78bdaadecdaf9983d3c; Max-Age=2147483647; Expires=Wed, 25-Feb-2088 09:54:58 GMT; Path=/; HttpOnly;Secure",
                [4] "BIGipServerpool_dev68751=192960522.64064.0000; path=/; Httponly; Secure"
        "response_message" => "OK",
         "runtime_seconds" => 2.023368,
                    "name" => "url",
                 "request" => {
               "url" => "",
            "method" => "get"
                    "code" => 200

Why it is giving "_jsonparsefailure"

Kindly help.


@tahseen_fatima - the url is not correct - this is not a valid ServiceNow REST API endpoint.

You should check the REST API reference from ServiceNow and choose which REST API endpoint you wish to use.


Now I am giving this url
url => "https://dev***"

No I am getting the following output.

Now I am getting the proper output.

But I want to ingest multiple incidents. Kindly refer the below image.


@tahseen_fatima - I am not an expert in ServiceNow API but from what I can see, the previous url is matching a specific incident number (i.e. sysparm_query=number=INC0000601). You would need to check which query parameters would return to you the list of desired documents.

1 Like

Thanks for your help.


1 Like


Thanks for the help,
I have solved the issue.

This is my new url.
url => ""


Now I am getting the full data.


1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.