We're having some issues getting the OpsGenie for Splunk app working on a Search Head cluster.
We've been able to get it to work on a test instance of Splunk with a single search head but it doesn't work in the cluster. There seem to be a few issues. I can get the API key to be saved successfully in the OpsGenie app, but none of the Splunk alerts are sent. Looking at the logs we can see the below errors:
ERROR sendmodalert - action=opsgenie STDERR - Unexpected error: Could not get opsgenie credentials from splunk. Error: [HTTP 403] Client is not authorized to perform requested action; /servicesNS/nobody/opsgenie/admin/passwords
WARN sendmodalert - action=opsgenie - Alert action script returned error code=3
Has anyone been able to get this app to work in a clustered environment? Is there something additional that needs to be done?
Could it be permissions related? We got the same error message (although not in a clustered environment). Per https://answers.splunk.com/answers/602346/opsgenie-app-trigging-alert-doesnt-work-unless-use.html you need the "list_storage_passwords" capability for the alert to work.,Could it be permissions related? We got the same error message (although not in a clustered environment). Per https://answers.splunk.com/answers/602346/opsgenie-app-trigging-alert-doesnt-work-unless-use.html you need the assign the "list_storage_passwords" capability to the desired user.
Could it be permissions related? We got the same error message (although not in a clustered environment). Per https://answers.splunk.com/answers/602346/opsgenie-app-trigging-alert-doesnt-work-unless-use.html you need the "list_storage_passwords" capability for the alert to work.,Could it be permissions related? We got the same error message (although not in a clustered environment). Per https://answers.splunk.com/answers/602346/opsgenie-app-trigging-alert-doesnt-work-unless-use.html you need the assign the "list_storage_passwords" capability to the desired user.
We were using the admin account which has full permissions. I think it's actually an issue with that version of the 'OpsGenie for Splunk' app. It works on the latest version of that app, 1.1.6, which was released recently.
The functionality on a cluster is still a bit odd, you have to modify your URL to
/en-US/manager/opsgenie/apps/local/opsgenie/setup?action=edit
to be able to access the app setup to enter an API key as the link doesn't appear via the GUI. The users that create the Splunk alerts also need to have the "list_storage_passwords" capability, as you mentioned.