SNow-Splunk ES integration

Paolo6
Kilo Expert

Hi all, I'm trying to integrate Splunk ES with Servicenow.

The objective is to let Splunk ES open SIR on SNow and, when the SIR is closed, let it know to Splunk ES.

I'm basically following this guide: https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/concept/splunk-event-ingest-overview-security.html

We have an on prem Splunk ES instance and the configuration through the mid-server went well (I successfully created a Splunk Enterprise Security - Event Ingestion" security integration).

I configured an event profile to test the integration (https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/task/splunk-event-ingest-create-profile-security.html#splunk-create-profile-security), but at the step "Mapping notable event fields for the Splunk Enterprise Security integration" when I click on "Fetch Sample Data" an error is returned: "error while fetching sample events".

I can't find any log in "System logs" to understand the cause of this error. Where can I find more info about this event?

I'm wondering also if privileges assigned to the Splunk account are corrects. I can't find any requirement about that. Any suggestion?

Thank you.

Paolo

1 ACCEPTED SOLUTION

Paolo6
Kilo Expert

Hi all, I finally managed to resolve the problem.

First of all I need to configure the role "ess_analyst" on Splunk for the user used by ServiceNow.

This resolved problems in the communications between ServiceNow and Splunk.

There still was an error when ServiceNow try to fetch notable events from Splunk.

With the help of the support we find that the issue was caused due to the 30 seconds timeout of the MID server as the configured Splunk API in the instance is taking more than 30 seconds to fetch the results.

To overcome the 30 seconds timeout provided by the Platform, we have created a system property in the instance 'glide.http.outbound.max_timeout.enabled' and set this value to 'false'.

Hope this helps someone else.

Paolo

View solution in original post

9 REPLIES 9

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Hi,

Try 'sn_sec_splunkes.api_account_access' role in splunk.

https://docs.servicenow.com/bundle/paris-security-management/page/product/secops-integration-splunk-event-ingest/task/splunk-event-ingest-checklist-security.html

 

Go ahead and mark this has helpful or Correct!

 

Ashutosh Munot1
Kilo Patron
Kilo Patron

HI,

I recently did this integration and this are my thoughts what you can check:

1) You need to check ecc queues for the endpoints and the error.

2) You need to sit with your splunk ES admin to check the hits you are doing to that endpoint. Because he knows if the permissions are enough or not.

3) When i say he know it means that he can see denied or grant for those endpoints components in splunk.

4) We started giving the admin rights to user in splunk and then reduced the rights eventually.

 

So please sit with him and check what is happening over the network.


Thanks,
Ashutosh

 

Paolo6
Kilo Expert

Hi all, I finally managed to resolve the problem.

First of all I need to configure the role "ess_analyst" on Splunk for the user used by ServiceNow.

This resolved problems in the communications between ServiceNow and Splunk.

There still was an error when ServiceNow try to fetch notable events from Splunk.

With the help of the support we find that the issue was caused due to the 30 seconds timeout of the MID server as the configured Splunk API in the instance is taking more than 30 seconds to fetch the results.

To overcome the 30 seconds timeout provided by the Platform, we have created a system property in the instance 'glide.http.outbound.max_timeout.enabled' and set this value to 'false'.

Hope this helps someone else.

Paolo

Anshu3
Kilo Contributor

Hi Paolo,

 

I am facing the same error. Error while fetching sample events. I tried creating the property which you mentioned but it didnt work in my case,

 

Point to highlight here- I am able to fetch events for other profiles. However it is creating issues for 2 specific profiles. I tried getting sample event ids but that didnt work either. 

Anything you want to suggest in my case? 

 

Thanks for your help in advance!