Solved: Unable to create incident from Splunk in Service-N...

las · ‎03-25-2019

Hi.

I've tried to create an incident in Service-Now using Splunk add on for Servicenow.
This failed when it tried to get the password to Service-Now.
127.0.0.1 - user [23/Mar/2019:05:02:53.239 +0100] "GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A HTTP/1.0" 403 228 - - - 0ms

How do I make this URL available, so it is possible to create incidents?

Kind regards

Lars Søndergaard

las · ‎03-28-2019

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

View solution in original post

las · ‎03-28-2019

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

lakshman239 · ‎03-25-2019

Assuming you are on a linux system and have access to the service Now API to create ticket/incident, would you be able to run a curl command using the creds (configured in the add-on) to create a ticket? if it works, its likely that 'user' making the call to passwords/username stored Splunk_TA_snow/local is unable to get the correct creds [. You may want to delete files under local, restart the instance, ensure there is no stale contents in Comfiguration->General -> Credential management and re-configure the app.

las · ‎03-27-2019

Hi.

I'm on a windows system.
It is spot on, that the 'user' making the call to passwords/username stored in Splunk_TA_snow is unable to get the correct creds. The user making the call gets a HTTP returncode 403, when they try to call /servicesNS/nobody/Splunk_TA_snow/storage/passwords/

So Splunk is preventing the 'user' from getting the passwords. I don't think that is done by ACLs on the filesystem.

Kind regards

nickhills · ‎03-25-2019

Have you installed the Integration application into your Service Now tenant?
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithS...

This configures the relevant permissions and update sets so the integration can work - you are getting a 403, which might suggest the permissions are not yet configured correctly (or the credentials are incorrect)

If my comment helps, please give it a thumbs up!

las · ‎03-25-2019

Yes, the ServiceNow integration is installed and configured.
The problem is not on the ServiceNow side, it is on the Splunk side.

This is URL that has the problem:

GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A

Called with https://127.0.0.1:8089, as the host

nickhills · ‎03-25-2019

Just checking - do you have proxy servers? A similar issue came up the other day where requests were being proxied - the proxy was requesting the resource from 127.0.0.1 (itself) instead of the Splunk server where the request originated.

If my comment helps, please give it a thumbs up!

las · ‎03-25-2019

No, no proxy.

For me it looks like the alert-script is requesting the credentials to Service-now from the Splunk-ta-snow app with the searchs user, and gets a http request denied.

Kind regards
Lars

Unable to create incident from Splunk in Service-Now using the add-on

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk