Security alerts often pile up and create noise. This setup turns Splunk alerts into clear Jira incidents, and adds new alerts as comments when a related issue already exists. It helps IT and security teams track events by host and keep a clean record in one place.

An incoming webhook receives a POST from Splunk. A set step cleans the host name so it works in Jira fields. A search step looks in Jira using a custom field for the cleaned host name. A decision step checks if a match was found. If none is found, a new Jira issue is created with the project, issue type, summary, description, and the cleaned host name saved in a custom field. If a match is found, the alert details are added as a comment with the timestamp and description. This design keeps one incident per host and records every new alert in the same ticket.

You will need Jira Software Cloud and Splunk. Point the Splunk webhook to the n8n URL and confirm your Jira custom field name for the host. Expect fewer duplicate tickets, faster handoff, and a clear audit trail of updates. It fits teams that face repeated alerts from the same host, rapid bursts of events, or ongoing investigations that need a single source of truth.

• Webhook intake receives POST alerts from Splunk for real time processing
• Host name normalization removes special characters to keep Jira fields clean
• Jira search uses JQL on a custom field to find an existing issue for the host
• Decision logic checks if a ticket exists and routes to create or comment
• Issue creation fills project, issue type, summary, description, and custom host field
• Comment posting adds timestamp and alert details to the existing Jira issue
• Test and live webhook URLs support safe testing and silent production runs

• Reduce manual triage from 20 minutes to 2 minutes by auto creating or updating Jira incidents
• Cut duplicate tickets by routing repeat alerts into comments on the same issue
• Improve data quality by 90 percent with cleaned host names saved in a custom field
• Streamline incident intake by 80 percent through one path from Splunk to Jira
• Unify alert history so analysts see all updates in one Jira thread
• Scale to large alert bursts without extra manual work

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You will need accounts with Splunk and Jira Software Cloud. See the Tools Required section above for links to create accounts with these services.
3. Open the Webhook node and note the test and production URLs. The test URL shows live results in n8n while the production URL runs silently.
4. In your Splunk webhook settings, add a new webhook alert action and paste the n8n production webhook URL. If you want to test first, use the test URL.
5. Confirm the Splunk payload includes a host name, description, message body, and timestamp. If your field names are different, adjust the Set Host Name node and the Jira mappings to match your payload.
6. Double click any Jira node, choose the 'Credential to connect with' dropdown, click 'Create new credential', then follow the on screen steps to connect Jira Software Cloud. Use a clear name for the credential so your team can find it later.
7. Open the Search Ticket node and update the JQL to use your actual Jira custom field for the host name. Make sure the field is searchable in Jira and that it matches the normalized host value.
8. Open the Create Ticket node and select the correct Jira project and issue type. Map the custom field so the normalized host name is stored on every new incident.
9. Open the Add Ticket Comment node and review the fields for timestamp and description. Match them to your payload keys so comments show the right details.
10. Click Execute Workflow in n8n and send a sample alert from Splunk to the test URL. Check that a new Jira issue is created when no match is found.
11. Send another alert with the same host and confirm a comment is added to the same Jira issue. Review the n8n Executions page for logs if something fails.
12. If no Jira issue is found when you expect one, verify the custom field name in JQL and that the Set Host Name value matches what is stored on the ticket.
13. If Jira returns an error on create, confirm your project, issue type, and required fields are set. Fix any missing fields and test again.