Splunk Mission Control

How do I resolve this error "failed to create a test incident"?

nembee
Observer

 

I've got this error when testing to create an incident.Screenshot 2022-09-06 163344.PNG.jpg

Labels (1)
0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee 

We haven't heard back from you in a week. Please let us know if you can answer the above questions. We would love to know more details so we can investigate on our end. Thanks!

0 Karma

nembee
Observer

Yes, already provided the response for the questions below.

0 Karma

Anni
Splunk Employee
Splunk Employee

Thanks for the update! @nembee 

If there's any more user config or AD information you could send, screenshots are helpful, please mention here or email us at: missioncontrol-preview@splunk.com

Edit: I'm curious, does the incident creation work if you leave the "Owner" field unassigned? 

We are looking into this right now! 

0 Karma

nembee
Observer

if i leave the owner field unassigned, "incident created successfully". But the incident is not listed on the main page. It is empty.Screenshot 2022-09-15 113003.jpg

0 Karma

Anni
Splunk Employee
Splunk Employee

Thank you for the screenshot! My hypothesis is that your AD group does not contain the correct permissions to create or view a Mission Control incident.

Here's the link to our permissions documentation: https://docs.splunk.com/Documentation/MC/Preview/Detect/Permissions

 

If you have access to the AD group (for example LDAP), could you try adding the correct permission to your user? 

Here's more documentation for managing groups in LDAP: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/MapLDAPgroupstoSplunkroles 

 

If you want to create and view an incident with the incident type "Default" the user would at least need the role permission "mc_analyst_edit_default."

 Screen Shot 2022-09-15 at 12.21.55 PM.png

Please let me know if that helps to solve anything! Thank you.

0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee! After discussing more with the engineering team, one workaround would be to add the mc_admin role if your user needs access all areas of Mission Control Preview.

We found that Mission Control Preview does not handle the admin_all_objects capability consistently, resulting in the ability to create an incident but not list or view it. A workaround to allow both creation and viewing is to assign the mc_admin role, or as I mentioned previously, the mc_analyst_all_edit role (as appropriate) to the user.

We will fix this issue in a future release. Thank you for your patience!

0 Karma

vthimmegowda
Splunk Employee
Splunk Employee

is that a valid user . Do u see this problem when u select other users like urself ?

0 Karma

nembee
Observer

Yes, it is a valid user. It is from an AD group membership. When i select other users or local accounts, it is still the same. None of the users assignment work. Incident can't be created.

0 Karma

kavitav
Splunk Employee
Splunk Employee

Hi! Thanks for trying out the app! We are looking into the error now, just so I understand, is the user you are trying to assign here yourself? or is it another user who today has access to ES? Thanks! 

0 Karma

nembee
Observer

Yes, i am trying to create a test incident and assigning it to myself. The user account is an account from AD group membership. The same error occurred if i select other users in the list including Splunk local accounts.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...