Splunk® IT Service Intelligence

Administration Manual

Download manual as PDF

Download topic as PDF

Enable bidirectional ticketing in ITSI

Bidirectional ticketing lets you update and close episodes in IT Service Intelligence (ITSI) through an external ticketing system. A bidirectional integration exchanges data between your ITSI instance and a third-party system so that when you make an update to a ticket outside of ITSI, the episode information is also updated within ITSI.

ITSI leverages the Ticket Management data model in the Splunk Common Information Model (CIM) to normalize your data, using the same field names and event tags for equivalent events from your external ticketing system. See Ticket Management in The Splunk Common Information Model Add-on Manual.

This normalization enables you to create action rules for fields like priority, severity, and state without having to remember what they're called in your external system. See Overview of the Common Information Model in the Common Information Model Add-on Manual for an introduction to the data models and information about the fields and tags they use.

The following image shows how ITSI uses the CIM to update an episode.

This diagram shows two workflows. One workflow is creating a ticket through Episode Review. The second workflow is creating a ticket through aggregation policy action rules.

ITSI currently only supports bidirectional ticket integration with ServiceNow. Download the Splunk Add-on for ServiceNow from Splunkbase. To configure the app and technical add-on, see Configure ServiceNow to integrate with the Splunk platform in the Splunk Add-on for ServiceNow manual.


1. Enable the Bidirectional Ticketing correlation search

ITSI ships with a correlation search that enables bidirectional ticketing. The correlation search queries your ticketing data model and sends an event to the itsi_tracked_alerts index each time an update is made. When sending these events to itsi_tracked_alerts, the correlation search also maps your system's specific fields to the CIM fields. For more information, see Ticket management in the Common Information Model Add-on Manual.

The Bidirectional Ticketing correlation search is disabled by default. To enable it, perform the following steps:

  1. Click Configure > Correlation searches.
  2. Toggle the Bidirectional Ticketing correlation search to enable it.

2. (Optional) Specify the index to look at for available fields

When you configure action rules in the next step, ITSI pre-populates all possible fields and values from the main index. If your data is going into a different index, you can specify which index ITSI looks at when populating these fields.


  • Only users with file system access, such as system administrators, can specify a custom index using a configuration file.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.


  1. Open or create a local macros.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/.
  2. Under the [itsi_event_management_snow_incidents] stanza, specify the index in the definition setting. For example:
args =
definition = index=myspecialindex sourcetype=snow:incident

3. Configure action rules

Configure action rules for a notable event aggregation policy that sync the fields in Episode Review with the corresponding fields in your ticketing system. For example, if you already set up an aggregation policy to create incidents in ServiceNow, you must add action rules to update the fields in the ITSI episode when they change in ServiceNow.

If you're integrating with ServiceNow, see Supported arguments for incidents for a table of arguments that ServiceNow supports for incident updates.

Once you configure your aggregation policy action rules and enable the correlation search, any ServiceNow tickets linked through the Link Ticket action in Episode Review has bidirectional functionality enabled by default, as long as you make the ticket system "Service Now" in the Link Ticket modal. For more information, see Link a ticket in the Use Splunk IT Service Intelligence manual.

  1. Navigate to Configure > Notable Event Aggregation Policies.
  2. Open the existing policy that you use to create tickets in an external system.
  3. Click the Action Rules tab.
  4. Click Add Rule.
  5. Click the If dropdown list and choose the option the <Ticketing System> incident associated with the episode has. The option only appears if you installed the CIM as well as the correct Splunk add-on for your ticketing system.
  6. Configure a condition for when a field in an external linked ticket changes. See the following example:

    If state matches 6 (Resolved) then change status to Resolved for the episode.

  7. Build out your aggregation policy so that each important change in your external ticketing system has an action rule that updates the corresponding episode in ITSI.
    For example, the action rules for state changes might look like this: This screenshot shows three action rules configured. If the ServiceNow incident associated with the episode has a state of 2, change the status to In progress for the episode. If it has a state of 3, 4, or 5, change the status to Pending for the episode. If the state changes to 6, change the status to Resolved for the episode.

4. Test the integration

Test the integration to make sure you configured the fields correctly.

  1. Go to Episode Review and link an episode created by the aggregation policy you just configured to an incident in ServiceNow. You must use "Service Now" (with a space) for the Ticket System field in order for bidirectional ticketing to work. For instructions, see Link a ticket.
  2. Go to ServiceNow and update one of the field values for which you created an action rule. For example, change the ticket status from New to In Progress.
  3. Go back to Episode Review in ITSI and confirm that the corresponding field was updated within the episode. The field might take several minutes to update.

See also

Last modified on 13 March, 2020
Tune notable event grouping in ITSI
Resolve ITSI episodes automatically with Splunk Phantom

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.1, 4.4.2, 4.4.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters