Modules

ServiceNow Discovery: How It Works and What It Actually Finds

ServiceNow Discovery automatically scans your network and populates the CMDB with Configuration Items. It sounds straightforward — run Discovery, get CMDB data. In practice, Discovery requires careful planning and ongoing maintenance. Here is how it actually works.

What Discovery does

Discovery scans IP ranges on your network, identifies devices and software, and creates or updates CI records in the CMDB. It runs on a schedule — typically daily or weekly — so the CMDB stays current as your infrastructure changes.

The Discovery architecture

Discovery uses three components:

  • MID Server — runs inside your network, has line-of-sight to the devices being scanned
  • Probes — scripts that the MID Server runs to interrogate devices (SNMP queries, WMI calls, SSH commands, etc.)
  • Sensors — scripts that run on the ServiceNow server to parse probe results and create/update CI records

The flow: ServiceNow tells the MID Server to scan an IP range → MID Server runs Probes against each device → probe results come back to ServiceNow → Sensors parse the results → CI records are created or updated.

Discovery phases

  1. Scan — ping sweep to find which IPs are responding
  2. Classify — determine what type of device each IP is (Windows server, Linux, network device, etc.)
  3. Identify — gather detailed information based on device type
  4. Explore — deeper discovery of applications, services, and relationships running on the device

What Discovery finds

Depending on your configuration and access credentials:

  • Servers — Windows, Linux, Unix (hardware specs, OS version, patches)
  • Network devices — routers, switches, firewalls (via SNMP)
  • Storage devices
  • Running applications and services
  • Installed software (Windows registry, Linux package managers)
  • TCP/IP relationships between servers

Credentials Discovery needs

Discovery requires credentials to log into devices and run interrogation commands. Configure these in Discovery > Credentials:

  • Windows devices — domain admin or local admin credentials (WMI/PowerShell)
  • Linux/Unix — SSH credentials (key-based preferred)
  • Network devices — SNMP community strings or SNMPv3 credentials
  • VMware — vCenter credentials

Without valid credentials, Discovery can identify a device exists but cannot gather detailed CI attributes.

Why CMDB data still ends up wrong

Discovery is accurate at the moment it runs, but infrastructure changes constantly. Common causes of CMDB drift:

  • Servers decommissioned without removing the CI — Discovery stops seeing them and marks them stale, but stale records persist
  • Discovery frequency too low — weekly Discovery misses short-lived cloud instances
  • Credential failures — Discovery silently skips devices it cannot authenticate against
  • Network changes — new subnets added but Discovery IP ranges not updated
  • Relationships not cleaned up when CIs are removed

Discovery logs and troubleshooting

When a device is not being discovered correctly, check: Discovery > Discovery Log filtered by the device IP. The log shows exactly which probes ran, which succeeded, and which failed — along with the specific error message. Credential failures and network timeouts show up here.

Cloud Discovery

For AWS, Azure, and GCP resources, ServiceNow has Cloud Discovery — a separate mechanism that uses cloud provider APIs rather than network scanning. Cloud Discovery requires configuring cloud credentials (IAM roles for AWS, service principals for Azure) rather than device-level credentials.

Want the complete reference?

This article is part of the NowSpectrum knowledge library. Browse all products for cheat sheets, interview prep, and deep-dive reference guides.

Browse All Products →