Splunk Mission Control

How do I resolve this error "failed to create a test incident"?

nembee
Observer

 

I've got this error when testing to create an incident.Screenshot 2022-09-06 163344.PNG.jpg

Labels (1)
0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee 

We haven't heard back from you in a week. Please let us know if you can answer the above questions. We would love to know more details so we can investigate on our end. Thanks!

0 Karma

nembee
Observer

Yes, already provided the response for the questions below.

0 Karma

Anni
Splunk Employee
Splunk Employee

Thanks for the update! @nembee 

If there's any more user config or AD information you could send, screenshots are helpful, please mention here or email us at: missioncontrol-preview@splunk.com

Edit: I'm curious, does the incident creation work if you leave the "Owner" field unassigned? 

We are looking into this right now! 

0 Karma

nembee
Observer

if i leave the owner field unassigned, "incident created successfully". But the incident is not listed on the main page. It is empty.Screenshot 2022-09-15 113003.jpg

0 Karma

Anni
Splunk Employee
Splunk Employee

Thank you for the screenshot! My hypothesis is that your AD group does not contain the correct permissions to create or view a Mission Control incident.

Here's the link to our permissions documentation: https://docs.splunk.com/Documentation/MC/Preview/Detect/Permissions

 

If you have access to the AD group (for example LDAP), could you try adding the correct permission to your user? 

Here's more documentation for managing groups in LDAP: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/MapLDAPgroupstoSplunkroles 

 

If you want to create and view an incident with the incident type "Default" the user would at least need the role permission "mc_analyst_edit_default."

 Screen Shot 2022-09-15 at 12.21.55 PM.png

Please let me know if that helps to solve anything! Thank you.

0 Karma

Anni
Splunk Employee
Splunk Employee

Hi @nembee! After discussing more with the engineering team, one workaround would be to add the mc_admin role if your user needs access all areas of Mission Control Preview.

We found that Mission Control Preview does not handle the admin_all_objects capability consistently, resulting in the ability to create an incident but not list or view it. A workaround to allow both creation and viewing is to assign the mc_admin role, or as I mentioned previously, the mc_analyst_all_edit role (as appropriate) to the user.

We will fix this issue in a future release. Thank you for your patience!

0 Karma

vthimmegowda
Splunk Employee
Splunk Employee

is that a valid user . Do u see this problem when u select other users like urself ?

0 Karma

nembee
Observer

Yes, it is a valid user. It is from an AD group membership. When i select other users or local accounts, it is still the same. None of the users assignment work. Incident can't be created.

0 Karma

kavitav
Splunk Employee
Splunk Employee

Hi! Thanks for trying out the app! We are looking into the error now, just so I understand, is the user you are trying to assign here yourself? or is it another user who today has access to ES? Thanks! 

0 Karma

nembee
Observer

Yes, i am trying to create a test incident and assigning it to myself. The user account is an account from AD group membership. The same error occurred if i select other users in the list including Splunk local accounts.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...