ServiceNow Security Incident (SIR) fields not populated from Splunk alertIssue ServiceNow Security Incident (SIR) fields not populated from Splunk alertCauseSplunk Plugin : ServiceNow Security Operations add-on allows Splunk to create security related incidents and events in ServiceNow. This splunk plugin is a push model from Splunk. Splunk sends data to servicenow via REST call to the /api/now/table/sn_si_incident_import Then there is a transform map to update the data to the sn_in_incident ( SIR) Table. If the data in the REST is not available , staging table does not have the data and the target also does not have the information ResolutionIt is recommended you use the below Splunk Enterprise Security App which is actually a version we don't support in the ServiceNow Security Operations v1.22 https://splunkbase.splunk.com/app/3192.Servicenow has certified v1.23 that will support Splunk Enterprise Security, you have to uninstall the old one and use this one instead https://splunkbase.splunk.com/app/3921/ OR Use the latest ServiceNow plugin, which is a REST API pull from ServiceNow "Splunk Enterprise Security event ingestion integration for Security Operations by ServiceNow"