Splunk IT Service Intelligence

Splunk delivers operational intelligence software that monitors, reports, and analyzes real-time machine data. The integration allows users to interact with the built-in Splunk ITSI workflow or other systems in their toolchains.

When episodes meet criteria you define, this integration relays critical Splunk data to the correct people and systems to help coordinate and resolve incidents faster. When an episode triggers the integration, xMatters identifies the appropriate on-call personnel and delivers notifications about the issue. Users can choose response options that update the episode's status in Splunk.

Do more with this integration

Incorporate this integration into your orchestrated incident resolution workflows with Flow Designer. After you create a configuration, the Flows tab appears. From there, you can build your flows — add new response options, connect to other apps, or even create new xMatters alerts based on activities in the flow — enriching the information injected by this integration along the way.

Flow Designer also includes a built-in Splunk trigger so you can automatically initiate flows when Splunk sends an alert to xMatters.

This integration is suitable only for Splunk servers or instances that have the Splunk IT Service Intelligence module. If you do not have this module in your Splunk instance, this integration won't work properly and will generate potentially confusing error messages. To integrate xMatters and a Splunk instance without the ITSI module, use the Splunk integration instead.

Get started with Splunk ITSI

The xMatters Splunkbase app is currently undergoing a certification process with Splunk. Some features may not be available on all versions of Splunk or the xMatters app, and some aspects of the integration may change while certification is ongoing. Please bear with us while we get this very important step all sorted out.

How to set up a Splunk ITSI configuration

After you give your configuration a name and description, type a name to use when sending alerts (so you can easily tell which configuration or integration the alerts are from).

This integration also requires some extra configuration information:

  • Splunk API Base URL: An externally-accessible URL that xMatters can use to post back to your Splunk system via the Splunk Enterprise API.
  • Splunk User: The user name of a Splunk user that can grant xMatters access to the Splunk API.
  • Splunk Password: The Splunk user's password.

Once you save the configuration, xMatters displays the settings you need to configure Splunk ITSI:

You can now install the "xMatters Actionable Alerts for Splunk ITSI" app from Splunkbase into your Splunk instance and, during installation, paste the provided URL into the Inbound Integration URL field. After you restart your Splunk instance, you can start sending episode information to xMatters.

Note: To properly install and configure Splunk for this integration, you must have the "admin" role (or have a role with "itoa_admin" permissions and "edit_user" capability).

Now you can either trigger a notification manually, or configure your episode aggregation policies to send notifications automatically whenever certain criteria are met. Recipients can then choose to accept, close, escalate, or resolve alerts using the response choices in their notifications.


  • If the integration doesn't generate any notifications, ensure that your Splunk installation has the Splunk IT Service Intelligence module installed. If the module is not installed, the integration will not work.
  • Check the Splunk log files for messages similar to "STDERR - ImportError: No module named itsi_path". This message indicates that the xMatters integration is unable to connect to the Splunk ITSI module.
  • If your Splunk instance does not have the Splunk ITSI module installed, use the xMatters for Splunk integration instead.

Extending your integration

Looking to do more with xMatters and Splunk ITSI? If you want to tailor the settings and notifications for the integration, you can convert it to a custom workflow.