All Apps and Add-ons

Unable to create incident from Splunk in Service-Now using the add-on

las
Contributor

Hi.

I've tried to create an incident in Service-Now using Splunk add on for Servicenow.
This failed when it tried to get the password to Service-Now.
127.0.0.1 - user [23/Mar/2019:05:02:53.239 +0100] "GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A HTTP/1.0" 403 228 - - - 0ms

How do I make this URL available, so it is possible to create incidents?

Kind regards

Lars Søndergaard

0 Karma
1 Solution

las
Contributor

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

View solution in original post

0 Karma

las
Contributor

Sometimes it helps to try to do the request instead of just looking, at the logs.

I was missing the list_storage_passwords capability in the roles.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Assuming you are on a linux system and have access to the service Now API to create ticket/incident, would you be able to run a curl command using the creds (configured in the add-on) to create a ticket? if it works, its likely that 'user' making the call to passwords/username stored Splunk_TA_snow/local is unable to get the correct creds [. You may want to delete files under local, restart the instance, ensure there is no stale contents in Comfiguration->General -> Credential management and re-configure the app.

0 Karma

las
Contributor

Hi.

I'm on a windows system.
It is spot on, that the 'user' making the call to passwords/username stored in Splunk_TA_snow is unable to get the correct creds. The user making the call gets a HTTP returncode 403, when they try to call /servicesNS/nobody/Splunk_TA_snow/storage/passwords/

So Splunk is preventing the 'user' from getting the passwords. I don't think that is done by ACLs on the filesystem.

Kind regards

0 Karma

nickhills
Ultra Champion

Have you installed the Integration application into your Service Now tenant?
https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/ConfigureServiceNowtointegratewithS...

This configures the relevant permissions and update sets so the integration can work - you are getting a 403, which might suggest the permissions are not yet configured correctly (or the credentials are incorrect)

If my comment helps, please give it a thumbs up!
0 Karma

las
Contributor

Yes, the ServiceNow integration is installed and configured.
The problem is not on the ServiceNow side, it is on the Splunk side.

This is URL that has the problem:

GET /servicesNS/nobody/Splunk_TA_snow/storage/passwords/https%5C%3A%252F%252Fservicenow instance%3Adummy%3A

Called with https://127.0.0.1:8089, as the host

0 Karma

nickhills
Ultra Champion

Just checking - do you have proxy servers? A similar issue came up the other day where requests were being proxied - the proxy was requesting the resource from 127.0.0.1 (itself) instead of the Splunk server where the request originated.

If my comment helps, please give it a thumbs up!
0 Karma

las
Contributor

No, no proxy.

For me it looks like the alert-script is requesting the credentials to Service-now from the Splunk-ta-snow app with the searchs user, and gets a http request denied.

Kind regards
Lars

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...