Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Receiving a 401 Unauthorized error response from ServiceNow

YJ
Explorer
‎03-05-2024 04:49 PM

Hi,

Have anyone faced this issue where you received a Unauthorized 401 error response from ServiceNow?

The scenario is as below.

We are using a AD service account userA to interact with ServiceNow for incident creation .

On Splunk Side, we are using Basic Auth.

On AD, user account is set to never expired.  

So far below we have checked the service account status. No changes was made but the issue was sudden.

Ran the query 

>index=_internal sourcetype="ta_snow_ticket host IN ( search head)

Above query was the one, we saw the Return code is 401 (Unauthorized)

What else can be checked? As of now, we are planning to reset the service account password and try again.

But if it works the issue is finding what cause the password to be changed when it have been set to never expires.

 

Labels (2)
0 Karma
Reply

PaulPanther
Builder
‎03-26-2024 08:22 AM

Have you verified that the used user has permissions to access ServiceNow via API? You could verify that with postman or a plain curl call.

 

0 Karma
Reply

YJ
Explorer
‎03-26-2024 04:44 PM

Hi Paul,

That was what I was suspecting, the service account permission to access the Servicenow. The only problem i have is getting the other team(Servicenow) to provide info for my troubleshooting as they are denying that it is their end with issue. I was thinking since the service account is an AD account, there will surely be a security group assign to the service account . I have actually point out that the service account did not have any grouping assigned to it thus there could be a possibility that the servicenow account does not have the permission to access the Servicenow. 

There were actually similar issues where we found that some AD users security group were missing after an issue happened. I will try to go through this path and check on the permission again.. Thanks for the advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...