Ticketing Integration
Ticketing Integration in Alert Manager Enterprise (AME) extends Splunk event and alert management across your entire organization. AME introduces a native integration with ServiceNow, bringing incident creation and synchronization capabilities to your ITSM systems. Support for additional platforms is on the roadmap.
In many enterprises, alert visibility must reach beyond the Splunk environment. AME Ticketing Integration enables teams to create and manage incidents in their enterprise ITSM tools—enhancing collaboration across teams and departments. With two-way integration, AME events can automatically update based on the state of linked ServiceNow incidents, and vice versa.
Ticketing Integration requires an AME Support Subscription
Overview
This integration lets you create and manage ServiceNow incidents directly from AME, enhancing visibility and seamlessly connecting with ServiceNow workflows through bi-directional synchronization.
AME events linked to ServiceNow tickets can be updated in either system, with changes automatically reflected in the other.
Key Benefits:
- Create ServiceNow incidents from AME events
- e.g. Trigger an incident for the Linux Operations team in response to an alert on a Unix host
- Update linked ServiceNow incidents directly from AME
- e.g. Automatically close a ServiceNow incident when the AME event is resolved
- e.g. Push details from a Splunk alert into the ServiceNow incident description
- Reflect changes in AME from ServiceNow
- e.g. Automatically resolve an AME event when the ServiceNow incident is marked as resolved
Configuration
Follow these steps to configure Ticketing Integration. Ensure you have the following information ready:
Requirements:
- ServiceNow API URL: The endpoint for your ServiceNow instance
- ServiceNow Incident URL: The navigable link to a ServiceNow incident
e.g.https://customerinstance.service-now.com/incident.do?sys_id={remote_ticket_id} - ServiceNow Enumerators: Values for fields you want to map (e.g. state, urgency, impact). These values enable AME to sync events flexibly with ServiceNow's internal representations. Obtain these values from your ServiceNow administrator.
- For example, "New" = 1, "In Progress" = 2
- Authentication Parameters: AME supports username/password, OAuth, and API token authentication
ServiceNow Enumerators: These control the field mapping between AME and ServiceNow. Below are example values for the State and Urgency fields. Consult your ServiceNow administrator for specific values or check field dictionaries.
Values for possible States in ServiceNow
Values for possible Urgencies in ServiceNow
1. Set Up Ticketing Integration
Begin by navigating to the tenant screen. Locate the Ticketing Integration section and click Add to create a new configuration.
Make sure you’ve collected all required information from the section above. You will be presented with the configuration panel to setup a new integration.
#### Sync Mode Options
- Outbound: AME pushes updates to ServiceNow only. No updates flow back, aside from the incident number.
- Bidirectional: Full two-way sync. Incidents created in AME are updated from ServiceNow and vice versa.
Backsync Conditions
With Bidirectional sync, AME updates event states only when selected ServiceNow state changes occur. Ensure that both platforms support the intended transitions.
Templated URL
This defines the clickable link to the ServiceNow incident. Example: https://customerinstance.service-now.com/incident.do?sys_id={remote_ticket_id} Replace placeholders with your tenant-specific values.
The Required fields: caller_id and short_description must be mapped—either via static fields or templates (see below).
Mapped Fields
Configure how AME fields map to ServiceNow fields. Click the + to add new mappings. Here you'll need the numerical values for each mapped field (see Requirements section above).
Mapping AME Status to ServiceNow State:
Mapping AME Urgency to ServiceNow Urgency:
Mapping AME Impact to ServiceNow Impact:
Template Fields
Fields can be dynamically populated using Jinja2 templating. These fields can be configured to update once (on incident creation) or to continuously update the values when linked alerts are appended to. This is true for both Outbound and Bi-Directional modes.
Below are examples of templated short_description and caller_id mappings:
For the main incident description, use templating to pull relevant AME event metadata:
Click Test Connection and Authentication to verify connectivity to ServiceNow.
2. Configure Templates to Use Ticketing Integration
Ticketing Integration is applied at the template level. To enable ticket creation:
- Create a new template or edit an existing one (see Templates)
- In the Ticketing dropdown, select the integration you’ve just configured
Working with Events
Once an alert is triggered using a template with Ticketing Integration, corresponding details will appear in the event view.
Events linked to ServiceNow incidents will display a direct link to the remote ticket (only after successful creation and linkage).
Under the Ticketing Integration tab, you can track the sync status and view whether actions were successful:
Reviewing in ServiceNow
Once a ticket is created, it appears in your ServiceNow instance as a fully populated incident:
Troubleshooting
If synchronization fails, error messages will appear in the Ticketing Integration panel for the affected event.
Common causes:
- Unsupported state transitions (e.g., New -> Closed not valid in AME)
- ServiceNow connection issues
Best Practices & Use Cases
- Authoritative Events: Treat AME as the source of truth for event state
- Cross-Team Collaboration: Use your corporate ITSM to bridge teams across silos
- Process Alignment: Align AME with your standard enterprise ticketing workflows
For more information, see:
Event Summary, Templates, Tenants