Enable bidirectional ticketing with ServiceNow in ITSI
Bidirectional ticketing lets you update and close episodes in IT Service Intelligence (ITSI) through ServiceNow. A bidirectional integration exchanges data between your ITSI instance and ServiceNow so that when you make an update to a ServiceNow, the episode information is also updated within ITSI.
ITSI leverages the Ticket Management data model in the Splunk Common Information Model (CIM) to normalize your data, using the same field names and event tags for equivalent events from ServiceNOw. See Ticket Management in The Splunk Common Information Model Add-on Manual.
This normalization enables you to create action rules for fields like
state without having to remember what they're called in ServiceNow. See Overview of the Common Information Model in the Common Information Model Add-on Manual for an introduction to the data models and information about the fields and tags they use.
The following image shows how ITSI uses the CIM to update an episode.
ITSI currently only supports bidirectional ticket integration with ServiceNow. Download the Splunk Add-on for ServiceNow from Splunkbase. To configure the app and technical add-on, see Configure ServiceNow to integrate with the Splunk platform in the Splunk Add-on for ServiceNow manual.
- Any required installations and configurations for ServiceNow.
- Configure the app and technical add-on for ServiceNow. For instructions, see Configure ServiceNow to integrate with the Splunk platform.
- Configure data inputs to collect data from your ServiceNow instance. For instructions, see Configure inputs for the Splunk Add-on for ServiceNow.
- The Splunk Common Information Model Add-on (CIM) must be installed.
1. Enable the Bidirectional Ticketing correlation search
ITSI ships with a correlation search that enables bidirectional ticketing. The correlation search queries the ServiceNow ticketing model and sends an event to the
itsi_tracked_alerts index each time an update is made. When sending these events to
itsi_tracked_alerts, the correlation search also maps ServiceNow to the CIM fields. For more information, see Ticket management in the Common Information Model Add-on Manual.
The Bidirectional Ticketing correlation search is disabled by default. To enable it, perform the following steps:
- Click Configure > Correlation searches.
- Toggle the Bidirectional Ticketing correlation search to enable it.
2. (Optional) Specify the index to look at for available fields
When you configure action rules in the next step, ITSI pre-populates all possible fields and values from the
main index. If your data is going into a different index, you can specify which index ITSI looks at when populating these fields.
- Only users with file system access, such as system administrators, can specify a custom index using a configuration file.
- Review the steps in How to edit a configuration file in the Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
- Open or create a local macros.conf file at
- Under the
[itsi_event_management_snow_incidents]stanza, specify the index in the
definitionsetting. For example:
[itsi_event_management_snow_incidents] args = definition = index=myspecialindex sourcetype=snow:incident
3. Configure action rules
Configure action rules for a notable event aggregation policy that sync the fields in Episode Review with the corresponding fields in ServiceNow. For example, if you already set up an aggregation policy to create incidents in ServiceNow, you must add action rules to update the fields in the ITSI episode when they change in ServiceNow.
See Supported arguments for incidents for a table of arguments that ServiceNow supports for incident updates.
Once you configure your aggregation policy action rules and enable the correlation search, any ServiceNow tickets linked through the Link Ticket action in Episode Review has bidirectional functionality enabled by default, as long as you make the ticket system "Service Now" in the Link Ticket modal. For more information, see Link a ticket in the Use Splunk IT Service Intelligence manual.
- Navigate to Configure > Notable Event Aggregation Policies.
- Open the existing policy that you use to create tickets in ServiceNow.
- Click the Action Rules tab.
- Click Add Rule.
- Click the If dropdown list and choose the option the ServiceNow incident associated with the episode has. The option only appears if you installed the CIM as well as the correct Splunk add-on for ServiceNow.
- Configure a condition for when a field in ServiceNow changes. See the following example:
If state matches 6 (Resolved) then change status to Resolved for the episode.
- Build out your aggregation policy so that each important change in ServiceNow has an action rule that updates the corresponding episode in ITSI.
For example, the action rules for state changes might look like this:
4. Test the integration
Test the integration to make sure you configured the fields correctly.
- Go to Episode Review and link an episode created by the aggregation policy you just configured to an incident in ServiceNow. You must use "Service Now" (with a space) for the Ticket System field in order for bidirectional ticketing to work. For instructions, see Link a ticket.
- Go to ServiceNow and update one of the field values for which you created an action rule. For example, change the ticket status from
- Go back to Episode Review in ITSI and confirm that the corresponding field was updated within the episode. The field might take several minutes to update.
Tune notable event grouping in ITSI
Resolve ITSI episodes automatically with Splunk Phantom
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5