All Apps and Add-ons

Splunk Add On For ServiceNow 5.0 | snow_incident.py no account found

gstefancyk
Path Finder

snow_incident.py is no longer able to run after updating to add-on version 5.0. It cannot actually find the configured account in the add-on. Has anyone run into this issue?

2019-11-20 08:20:11,022 ERROR pid=175755 tid=MainThread file=snow_ticket.py:_get_service_now_account:226 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 170, in _get_service_now_account
raise Exception("Account name cannot be empty. Enter a configured account name or create new account by going to Configuration page of the Add-on.")
Exception: Account name cannot be empty. Enter a configured account name or create new account by going to Configuration page of the Add-on.

There is definitely an account configured in the add on and it is working.

Thanks,

Gary S.

0 Karma
1 Solution

gstefancyk
Path Finder

Was able to find this out by reading some additional documentation that is not part of the release notes or upgrade notes for 5.0 of add on.
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts

In version 3.1 you did not need to specify the account name directly in your searches in order to use scripted alert action "snow_incident.py"

This is quite a simple fix but it is not clearly documented and should be part of the release/upgrade notes. If you use "snow_incident.py" and are migrating to version 5.0 from 3.1 or earlier you must specify the account name in your search.
| eval account = "accountname"

The account name is the name you gave the account when you set up the integration in the add on.

View solution in original post

gstefancyk
Path Finder

Was able to find this out by reading some additional documentation that is not part of the release notes or upgrade notes for 5.0 of add on.
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts

In version 3.1 you did not need to specify the account name directly in your searches in order to use scripted alert action "snow_incident.py"

This is quite a simple fix but it is not clearly documented and should be part of the release/upgrade notes. If you use "snow_incident.py" and are migrating to version 5.0 from 3.1 or earlier you must specify the account name in your search.
| eval account = "accountname"

The account name is the name you gave the account when you set up the integration in the add on.

gstefancyk
Path Finder

Hi @uagrawal_splunk we have already done that as that is a requirement when upgrading. We are able to pull data using the same exact user account as well.

We just cannot execute the script "snow_ticket.py" as it cannot find the user account. We use this as a scripted input on our alerts to trigger SNOW tickets.

GS

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

I tried but unable to reproduce the issue. Maybe I am missing something.

0 Karma

gstefancyk
Path Finder

Do you happen to know the difference between these files?

service_now.conf

splunk_ta_snow_settings.conf

It appears in the new version of the add on splunk_ta_snow_settings.conf was added. Notice when restarting splunk it also complains about all of the settings in the "service_now.conf"

nvalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 4: password (value: ).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 5: release (value: Madrid).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 6: url (value: https://x.x.x.service-now.com).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 7: username (value: ).

That is making me think that that service_now.conf is deprecated or something? Nothing is noted in the documentation though.

0 Karma

uagrawal_splunk
Splunk Employee
Splunk Employee

Have you upgraded your ServiceNow Add-on from 3.1.0 to 5.0.0? If yes, then you need to reconfigure your previously configured ServiceNow account. The link for the doc is: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes#Upgrade

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...