Unable to create incidents via Splunk Add-on for ServiceNow

VennilaP · ‎02-05-2024

Hi all,

We are trying to create incidents from Splunk to ServiceNow and we are getting the below error in Splunk. we have provided the required roles for the user account and Splunk is able to pull data from ServiceNow.

2024-02-05 15:16:16,203 ERROR pid=1 tid=MainThread file=snow_ticket.py:_handle_response:477 | Failed to create ticket. Return code is 403 (Forbidden)

Can anyone help?

Thanks,

Vennila

AshishKM · ‎02-05-2024

Hi @VennilaP ,

Please check if the service account has required role to create incident. Check the create ACL on incident table.

Splunk must trying to use table API ( internally ) via basic authentication using service account, you can check the same table api url and login credential over postman, lets see if you observe same issue.

-Thanks,

AshishKM

Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

View solution in original post

AshishKM · ‎02-05-2024

Hi @VennilaP ,

Please check if the service account has required role to create incident. Check the create ACL on incident table.

Splunk must trying to use table API ( internally ) via basic authentication using service account, you can check the same table api url and login credential over postman, lets see if you observe same issue.

-Thanks,

AshishKM

Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

VennilaP · ‎02-05-2024

Hi @AshishKM ,

Yes , you are right . When I tried I received the below error.

{

"error": {

"message": "Operation Failed",

"detail": "ACL Exception Insert Failed due to security constraints"

},

"status": "failure"

}

Checking ACL . We are trying to create incident in the staging table first .

Thanks,

Vennila