All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to create incident from Splunk in Service-Now using the add-on

las
Contributor
‎03-25-2019 02:27 AM

Hi.

I've tried to create an incident in Service-Now using Splunk add on for Servicenow.
This failed when it tried to get the password to Service-Now.
127.0.0.1 - user [23/Mar/2019:05:02:53.239 +0100] "GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A HTTP/1.0" 403 228 - - - 0ms

How do I make this URL available, so it is possible to create incidents?

Kind regards

Lars Søndergaard

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

las
Contributor
‎03-28-2019 06:50 AM

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

View solution in original post

Reply
Solved! Jump to solution
Solution

las
Contributor
‎03-28-2019 06:50 AM

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

Reply
Solved! Jump to solution

lakshman239
Influencer
‎03-25-2019 08:34 AM

Assuming you are on a linux system and have access to the service Now API to create ticket/incident, would you be able to run a curl command using the creds (configured in the add-on) to create a ticket? if it works, its likely that 'user' making the call to passwords/username stored Splunk_TA_snow/local is unable to get the correct creds [. You may want to delete files under local, restart the instance, ensure there is no stale contents in Comfiguration->General -> Credential management and re-configure the app.

0 Karma
Reply
Solved! Jump to solution

las
Contributor
‎03-27-2019 11:48 PM

Hi.

I'm on a windows system.
It is spot on, that the 'user' making the call to passwords/username stored in Splunk_TA_snow is unable to get the correct creds. The user making the call gets a HTTP returncode 403, when they try to call /servicesNS/nobody/Splunk_TA_snow/storage/passwords/

So Splunk is preventing the 'user' from getting the passwords. I don't think that is done by ACLs on the filesystem.

Kind regards

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-25-2019 03:44 AM

Have you installed the Integration application into your Service Now tenant?
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithS...

This configures the relevant permissions and update sets so the integration can work - you are getting a 403, which might suggest the permissions are not yet configured correctly (or the credentials are incorrect)

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

las
Contributor
‎03-25-2019 07:22 AM

Yes, the ServiceNow integration is installed and configured.
The problem is not on the ServiceNow side, it is on the Splunk side.

This is URL that has the problem:

GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A

Called with https://127.0.0.1:8089, as the host

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-25-2019 07:59 AM

Just checking - do you have proxy servers? A similar issue came up the other day where requests were being proxied - the proxy was requesting the resource from 127.0.0.1 (itself) instead of the Splunk server where the request originated.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

las
Contributor
‎03-25-2019 08:24 AM

No, no proxy.

For me it looks like the alert-script is requesting the credentials to Service-now from the Splunk-ta-snow app with the searchs user, and gets a http request denied.

Kind regards
Lars

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
OSZAR »