Overview
Ticketing Integration in Alert Manager Enterprise (AME) extends Splunk event and alert management across your entire organization. AME introduces a native integration with ServiceNow and Jira Software, bringing incident creation and synchronization capabilities to your ITSM systems.
In many enterprises, alert visibility must reach beyond the Splunk environment. AME Ticketing Integration enables teams to create and manage incidents in their enterprise ITSM tools—enhancing collaboration across teams and departments. With two-way integration, AME events can automatically update based on the state of linked ServiceNow incidents or Jira issues, and vice versa.
Ticketing Integration requires an AME Support Subscription
Overview
This integration lets you create and manage ServiceNow incidents or Jira issues directly from AME, enhancing visibility and seamlessly connecting with external workflows through bi-directional synchronization.
AME events linked to a remote system tickets can be updated in either system, with changes automatically reflected in the other.
Key Benefits:
- Create remote tickets from AME events
- e.g. Trigger an incident for the Linux Operations team in response to an alert on a Unix host
- Update linked ServiceNow incidents or Jira issues directly from AME
- e.g. Automatically close a ServiceNow incident when the AME event is resolved
- e.g. Push details from a Splunk alert into the ServiceNow incident description
- e.g. Transition a Jira issue to "In Progress" when the AME event is acknowledged
- Reflect changes in AME from ServiceNow or Jira
- e.g. Automatically resolve an AME event when the ServiceNow incident is marked as resolved
- e.g. Transition an AME event to "In Progress" when the linked Jira issue is moved to that status
Key Concepts
Sync Mode:
- Outbound: AME pushes updates to the remote system only. No updates flow back, aside from the incident number.
- Bidirectional: Full two-way sync. Incidents created in AME are updated from remote and vice versa.
If an event is short lived (e.g. created and immediately deleted) AME will not sync it to a remote system.
Backsync status:
With Bidirectional sync, AME updates event only when the AME event status is in the defined list of status values.
Templated URL:
This defines the clickable link to the remote ticket. Example: https://customerinstance.service-now.com/incident.do?sys_id={remote_ticket_id} or https://yourcompany.atlassian.net/browse/{remote_ticket_id}
Replace 'customerinstance' or 'yourcompany' with your tenant-specific values.
Mapped fields and templated fields:
You define which fields in AME get synchronized to which field in the remote system. This mapping is configurable per definition of a ticketing integration, which lets you have different mappings for different teams or use cases.
Mapped fields declare a lookup between an AME event field and a remote system field. When either side of the integration is updated, the corresponding field in the other system is updated as well (if the sync mode is bi-directional).
Templated fields let you define a Jinja2 template that is rendered into the defined field when a ticket is created or updated. This allows you to push dynamic, context-rich information from AME into the remote ticket. For example, you can populate the description field of the remote ticket with consolidated details from the AME event, including original alert information from Splunk.
Troubleshooting
If synchronization fails, error messages will appear in the Ticketing Integration panel for the affected event.
Common causes:
- Unsupported state transitions (e.g., New -> Closed not valid in AME)
- ServiceNow connection issues
- Jira connection issues
Best Practices & Use Cases
- Authoritative Events: Treat AME as the source of truth for event state
- Cross-Team Collaboration: Use your corporate ITSM to bridge teams across silos
- Process Alignment: Align AME with your standard enterprise ticketing workflows
For more information, see:
Event Summary, Templates, Tenants