Splunk® IT Service Intelligence

Administration Manual

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Enable bidirectional ticketing with ServiceNow in ITSI

Bidirectional ticketing lets you update and close episodes in IT Service Intelligence (ITSI) through ServiceNow. A bidirectional integration exchanges data between your ITSI instance and ServiceNow so that when you make an update to a ServiceNow, the episode information is also updated within ITSI.

ITSI leverages the Ticket Management data model in the Splunk Common Information Model (CIM) to normalize your data, using the same field names and event tags for equivalent events from ServiceNOw. See Ticket Management in The Splunk Common Information Model Add-on Manual.

This normalization enables you to create action rules for fields like priority, severity, and state without having to remember what they're called in ServiceNow. See Overview of the Common Information Model in the Common Information Model Add-on Manual for an introduction to the data models and information about the fields and tags they use.

The following image shows how ITSI uses the CIM to update an episode.

This diagram shows two workflows. One workflow is creating a ticket through Episode Review. The second workflow is creating a ticket through aggregation policy action rules.

ITSI currently only supports bidirectional ticket integration with ServiceNow. Download the Splunk Add-on for ServiceNow from Splunkbase. To configure the app and technical add-on, see Configure ServiceNow to integrate with the Splunk platform in the Splunk Add-on for ServiceNow manual.

Prerequisites

1. Enable the Bidirectional Ticketing correlation search

ITSI ships with a correlation search that enables bidirectional ticketing. The correlation search queries the ServiceNow ticketing model and sends an event to the itsi_tracked_alerts index each time an update is made. When sending these events to itsi_tracked_alerts, the correlation search also maps ServiceNow to the CIM fields. For more information, see Ticket management in the Common Information Model Add-on Manual.

The Bidirectional Ticketing correlation search is disabled by default. To enable it, perform the following steps:

  1. Click Configure > Correlation searches.
  2. Toggle the Bidirectional Ticketing correlation search to enable it.

2. (Optional) Specify the index to look at for available fields

When you configure action rules in the next step, ITSI pre-populates all possible fields and values from the main index. If your data is going into a different index, you can specify which index ITSI looks at when populating these fields.

Prerequisites

  • Only users with file system access, such as system administrators, can specify a custom index using a configuration file.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

Steps

  1. Open or create a local macros.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/.
  2. Under the [itsi_event_management_snow_incidents] stanza, specify the index in the definition setting. For example:
[itsi_event_management_snow_incidents]
args =
definition = index=myspecialindex sourcetype=snow:incident

3. Configure action rules

Configure action rules for a notable event aggregation policy that sync the fields in Episode Review with the corresponding fields in ServiceNow. For example, if you already set up an aggregation policy to create incidents in ServiceNow, you must add action rules to update the fields in the ITSI episode when they change in ServiceNow.

See Supported arguments for incidents for a table of arguments that ServiceNow supports for incident updates.

Once you configure your aggregation policy action rules and enable the correlation search, any ServiceNow tickets linked through the Link Ticket action in Episode Review has bidirectional functionality enabled by default, as long as you make the ticket system "Service Now" in the Link Ticket modal. For more information, see Link a ticket in the Use Splunk IT Service Intelligence manual.

  1. Navigate to Configure > Notable Event Aggregation Policies.
  2. Open the existing policy that you use to create tickets in ServiceNow.
  3. Click the Action Rules tab.
  4. Click Add Rule.
  5. Click the If dropdown list and choose the option the ServiceNow incident associated with the episode has. The option only appears if you installed the CIM as well as the correct Splunk add-on for ServiceNow.
  6. Configure a condition for when a field in ServiceNow changes. See the following example:

    If state matches 6 (Resolved) then change status to Resolved for the episode.

  7. Build out your aggregation policy so that each important change in ServiceNow has an action rule that updates the corresponding episode in ITSI.
    For example, the action rules for state changes might look like this: This screenshot shows three action rules configured. If the ServiceNow incident associated with the episode has a state of 2, change the status to In progress for the episode. If it has a state of 3, 4, or 5, change the status to Pending for the episode. If the state changes to 6, change the status to Resolved for the episode.

4. Test the integration

Test the integration to make sure you configured the fields correctly.

  1. Go to Episode Review and link an episode created by the aggregation policy you just configured to an incident in ServiceNow. You must use "Service Now" (with a space) for the Ticket System field in order for bidirectional ticketing to work. For instructions, see Link a ticket.
  2. Go to ServiceNow and update one of the field values for which you created an action rule. For example, change the ticket status from New to In Progress.
  3. Go back to Episode Review in ITSI and confirm that the corresponding field was updated within the episode. The field might take several minutes to update.

See also

Last modified on 09 April, 2020
PREVIOUS
Tune notable event grouping in ITSI
  NEXT
Resolve ITSI episodes automatically with Splunk Phantom

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters