snow_incident.py is no longer able to run after updating to add-on version 5.0. It cannot actually find the configured account in the add-on. Has anyone run into this issue?
2019-11-20 08:20:11,022 ERROR pid=175755 tid=MainThread file=snow_ticket.py:_get_service_now_account:226 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/snow_ticket.py", line 170, in _get_service_now_account
raise Exception("Account name cannot be empty. Enter a configured account name or create new account by going to Configuration page of the Add-on.")
Exception: Account name cannot be empty. Enter a configured account name or create new account by going to Configuration page of the Add-on.
There is definitely an account configured in the add on and it is working.
Thanks,
Gary S.
Was able to find this out by reading some additional documentation that is not part of the release notes or upgrade notes for 5.0 of add on.
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts
In version 3.1 you did not need to specify the account name directly in your searches in order to use scripted alert action "snow_incident.py"
This is quite a simple fix but it is not clearly documented and should be part of the release/upgrade notes. If you use "snow_incident.py" and are migrating to version 5.0 from 3.1 or earlier you must specify the account name in your search.
| eval account = "accountname"
The account name is the name you gave the account when you set up the integration in the add on.
Was able to find this out by reading some additional documentation that is not part of the release notes or upgrade notes for 5.0 of add on.
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts
In version 3.1 you did not need to specify the account name directly in your searches in order to use scripted alert action "snow_incident.py"
This is quite a simple fix but it is not clearly documented and should be part of the release/upgrade notes. If you use "snow_incident.py" and are migrating to version 5.0 from 3.1 or earlier you must specify the account name in your search.
| eval account = "accountname"
The account name is the name you gave the account when you set up the integration in the add on.
Hi @uagrawal_splunk we have already done that as that is a requirement when upgrading. We are able to pull data using the same exact user account as well.
We just cannot execute the script "snow_ticket.py" as it cannot find the user account. We use this as a scripted input on our alerts to trigger SNOW tickets.
GS
I tried but unable to reproduce the issue. Maybe I am missing something.
Do you happen to know the difference between these files?
service_now.conf
splunk_ta_snow_settings.conf
It appears in the new version of the add on splunk_ta_snow_settings.conf was added. Notice when restarting splunk it also complains about all of the settings in the "service_now.conf"
nvalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 4: password (value: ).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 5: release (value: Madrid).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 6: url (value: https://x.x.x.service-now.com).
Invalid key in stanza [snow_account] in /opt/splunk/etc/apps/Splunk_TA_snow/local/service_now.conf, line 7: username (value:
That is making me think that that service_now.conf is deprecated or something? Nothing is noted in the documentation though.
Have you upgraded your ServiceNow Add-on from 3.1.0 to 5.0.0? If yes, then you need to reconfigure your previously configured ServiceNow account. The link for the doc is: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes#Upgrade