Hey everyone,

I recently installed the BMC Remedy Add On for Splunk and followed the directions to get setup.  I successfully connected into BMC via REST credentials, setup the remedy_fields.conf file and successfully created a ticket via search and the remedyincidentcreatestreamrest command.  My problem is automating this experience.  I created an alert based on a search (per the docs), and specified the "Remedy Incident Integration using REST API" trigger.  Looking at the splunk_ta_remedy_rest_alert.log file I see the following authentication error:

2022-08-17 15:07:35,356 ERROR pid=11181 tid=MainThread file=remedy_helper.py:create_incident:287 | Authentication failed, status_code=401, url='https://url-restapi.onbmc.com:443/api/arsys/v1.0/entry/HPD:ServiceInterface', params={'fields': 'values(Incident Number, Incident_Status)'}, response=[{"messageType":"ERROR","messageText":"Authentication failed","messageNumber":623,"messageAppendedText":"remedy_user"}]
2022-08-17 15:07:35,657 INFO pid=11181 tid=MainThread file=remedy_helper.py:create_jwt_token:162 | Successfully generated a new jwt token
2022-08-17 15:07:36,030 ERROR pid=11181 tid=MainThread file=remedy_helper.py:create_incident:287 | Error occured, status_code=400, url='https://url-restapi.onbmc.com:443/api/arsys/v1.0/entry/HPD:ServiceInterface', params={'fields': 'values(Incident Number, Incident_Status)'}, response=[{"messageType":"ERROR","messageText":"Required field cannot be blank.","messageNumber":326,"messageAppendedText":"HPD:Help Desk : Contact Company"}]
2022-08-17 15:07:36,030 ERROR pid=11181 tid=MainThread file=remedy_incident_rest_alert_base.py:post_incident:227 | [Remedy Incident REST Alert] The search name: Ingress to ICM Missing DN. Failed to Create/Update incident
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_remedy/bin/remedy_helper.py", line 432, in retry
return func(account_info, *arg, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_remedy/bin/remedy_helper.py", line 288, in create_incident
raise Exception(msg)
Exception: Authentication failed, status_code=401, url='https://url-restapi.onbmc.com:443/api/arsys/v1.0/entry/HPD:ServiceInterface', params={'fields': 'values(Incident Number, Incident_Status)'}, response=[{"messageType":"ERROR","messageText":"Authentication failed","messageNumber":623,"messageAppendedText":"remedy_user"}]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_remedy/bin/remedy_incident_rest_alert_base.py", line 200, in post_incident
proxy_config=self.proxy_config,
File "/opt/splunk/etc/apps/Splunk_TA_remedy/bin/remedy_helper.py", line 454, in retry
return func(account_info, *arg, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_remedy/bin/remedy_helper.py", line 288, in create_incident
raise Exception(msg)
Exception: Error occured, status_code=400, url='https://url-restapi.onbmc.com:443/api/arsys/v1.0/entry/HPD:ServiceInterface', params={'fields': 'values(Incident Number, Incident_Status)'}, response=[{"messageType":"ERROR","messageText":"Required field cannot be blank.","messageNumber":326,"messageAppendedText":"HPD:Help Desk : Contact Company"}]

I have a separate application creating tickets via REST and was told to use the  HPD:IncidentInterface_Create.  Not sure what the difference is (if any) to running a search is as opposed to having an alert trigger it but I am stumped.  If anyone can offer some insight I would appreciate it.

Thanks!

Chad