All Apps and Add-ons

Allow non-Splunk Admins to add the ServiceNow action to alerts

mjones1
New Member

We have this stood up and working...sort of.  Splunk Admins can configure alerts to add the "ServiceNow Incident Integration" action, and we can create Incidents in Splunk.

The problem is, we have a lot of development teams that create/maintain their own alerts in Splunk.  When they go to add this action, they're not able to select the account to use when configuring the action...because they don't have read permission to the account.  Even if an Admin goes in and configures the action, it won't work at run-time, because the alert runs under the owner's permissions...which can't read the credentials to use to call ServiceNow.

Has anyone else ran into this issue?  How can this be setup to allow non-Admins to maintain alerts?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...