Splunk Mission Control

How do I resolve this error "failed to create a test incident"?

nembee
Observer

 

I've got this error when testing to create an incident.Screenshot 2022-09-06 163344.PNG.jpg

Labels (1)
0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee 

We haven't heard back from you in a week. Please let us know if you can answer the above questions. We would love to know more details so we can investigate on our end. Thanks!

0 Karma

nembee
Observer

Yes, already provided the response for the questions below.

0 Karma

Anni
Splunk Employee
Splunk Employee

Thanks for the update! @nembee 

If there's any more user config or AD information you could send, screenshots are helpful, please mention here or email us at: missioncontrol-preview@splunk.com

Edit: I'm curious, does the incident creation work if you leave the "Owner" field unassigned? 

We are looking into this right now! 

0 Karma

nembee
Observer

if i leave the owner field unassigned, "incident created successfully". But the incident is not listed on the main page. It is empty.Screenshot 2022-09-15 113003.jpg

0 Karma

Anni
Splunk Employee
Splunk Employee

Thank you for the screenshot! My hypothesis is that your AD group does not contain the correct permissions to create or view a Mission Control incident.

Here's the link to our permissions documentation: https://docs.splunk.com/Documentation/MC/Preview/Detect/Permissions

 

If you have access to the AD group (for example LDAP), could you try adding the correct permission to your user? 

Here's more documentation for managing groups in LDAP: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/MapLDAPgroupstoSplunkroles 

 

If you want to create and view an incident with the incident type "Default" the user would at least need the role permission "mc_analyst_edit_default."

 Screen Shot 2022-09-15 at 12.21.55 PM.png

Please let me know if that helps to solve anything! Thank you.

0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee! After discussing more with the engineering team, one workaround would be to add the mc_admin role if your user needs access all areas of Mission Control Preview.

We found that Mission Control Preview does not handle the admin_all_objects capability consistently, resulting in the ability to create an incident but not list or view it. A workaround to allow both creation and viewing is to assign the mc_admin role, or as I mentioned previously, the mc_analyst_all_edit role (as appropriate) to the user.

We will fix this issue in a future release. Thank you for your patience!

0 Karma

vthimmegowda
Splunk Employee
Splunk Employee

is that a valid user . Do u see this problem when u select other users like urself ?

0 Karma

nembee
Observer

Yes, it is a valid user. It is from an AD group membership. When i select other users or local accounts, it is still the same. None of the users assignment work. Incident can't be created.

0 Karma

kavitav
Splunk Employee
Splunk Employee

Hi! Thanks for trying out the app! We are looking into the error now, just so I understand, is the user you are trying to assign here yourself? or is it another user who today has access to ES? Thanks! 

0 Karma

nembee
Observer

Yes, i am trying to create a test incident and assigning it to myself. The user account is an account from AD group membership. The same error occurred if i select other users in the list including Splunk local accounts.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...