Docs » Respond to and manage incidents » Create ServiceNow tickets within Splunk Incident Intelligence incidents

Create ServiceNow tickets within Splunk Incident Intelligence incidents πŸ”—

You can create ServiceNow tickets within Incident Intelligence incidents. With this integration, Splunk Incident Intelligence aggregates your alerts, notifies the on-call responders, while all incident and customer details remain in ServiceNow.

This lets you create and close ServiceNow tickets from within Incident Intelligence. Updates to the ServiceNow ticket must be performed in ServiceNow.

Configure ServiceNow for Incident Intelligence πŸ”—

Allow Incident Intelligence to create ServiceNow tickets.

Perform the following steps:

  1. Log into Splunk Observability Cloud,

  2. Open the ServiceNOW for Incident Intelligence setup page . Optionally, you can navigate to the setup on your own:

    1. Select Data Management.

    2. Select Add Integration.

    3. In the drop-down, select Product and search for Incident Intelligence.

    4. Select ServiceNow Incident Intelligence.

  3. By default, the name of the integration is ServiceNow. Give your integration a unique and descriptive name. For information about the downstream use of this name, see About naming your integrations.

  4. Enter the ServiceNow URL for the instance.

  5. In the Username or Client field, enter the user ID from ServiceNow or the Oauth client ID.

  6. In the Password or Client field, enter the password from ServiceNow or the Oauth client secret.

  7. In the Provide the timezone field, enter the time zone name for the ServiceNOW integration.

  8. In the Observability Integration Token field, enter the API Access token for your Incident Intelligence org. This must be an org level API access token.

  9. Select Save

You are now ready to configure ServiceNow as part of the incident policy workflows in Incident Intelligence.

Connect ServiceNow to Splunk Incident Intelligence incident policy workflows πŸ”—

When you have configured the ServiceNow integration with Observability Cloud, you can configure Splunk Incident Intelligence and ServiceNow in one or more incident policies. This eliminates the need for individual responders to manually run the configuration steps in each incident. Any incident created under the incident policy automatically has the ServiceNow ticket configuration populated.

Perform the following steps:

  1. In Splunk Incident Intelligence, select Incident Management.

  2. On the Incident Policies tab, select an incident.

  3. Select the Incident Workflows tab to configure an action for the policy.

  4. Select Add action.

  5. On the Add new action dialog, in the Integration field, select Create ServiceNOW ticket.

  6. Complete the following fields:

    1. Integration Instance: Select the ServiceNow instance to work with. For example, you might have a production and a test instance.

    2. ServiceNow table: the default is incident.

    3. ServiceNow Fields: Enter the JSON that contains the ServiceNow field values to use. For example, if you have an incident policy for WebUI incidents, you can create a field that says WebUI incident, so the responder doesn’t have to fill that in.

    4. (Optional) Close Incident Mapping JSON: Enter the JSON to map the fields users are prompted to provide when closing an incident.

    5. (Optional) Resolve Incident Mapping JSON: Enter the JSON to map the fields users are prompted to provide when closing an incident.

Once you configure this, any incident created using that incident policy displays the related ServiceNow ticket information in the Resources section of the incident details.

On the Incident details page, the ServiceNow ticket link displays in the Resources section.

Manually connect Splunk Incident Intelligence to ServiceNow in a specific incident πŸ”—

If you do not configure ServiceNow as part of incident workflows, responders can still connect an incident to ServiceNow manually. This requires them to know the configuration values required.

If you are reviewing or working on a specific incident in Splunk Incident Intelligence, you can manually connect the incident to ServiceNow by performing the following steps:

  1. On the Incidents tab in Splunk Incident Intelligence, select an incident.

  2. In the Resources section, select Add Resource.

  3. On the Add resource dialog, in the Integration field, select Create ServiceNOW ticket.

  4. Complete the following fields:

    1. Integration Instance: Select the ServiceNow instance to work with. For example, you might have a production and a test instance.

    2. ServiceNow table: the default is incident.

    3. ServiceNow Fields: Enter the JSON that contains the ServiceNow field values to use.

    4. (Optional) Close Incident Mapping JSON: Enter the JSON to map the fields users are prompted to provide when closing an incident.

    5. (Optional) Resolve Incident Mapping JSON: Enter the JSON to map the fields users are prompted to provide when closing an incident.