- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2020 03:17 AM
Hi all, I'm trying to integrate Splunk ES with Servicenow.
The objective is to let Splunk ES open SIR on SNow and, when the SIR is closed, let it know to Splunk ES.
I'm basically following this guide: https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/concept/splunk-event-ingest-overview-security.html
We have an on prem Splunk ES instance and the configuration through the mid-server went well (I successfully created a Splunk Enterprise Security - Event Ingestion" security integration).
I configured an event profile to test the integration (https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/task/splunk-event-ingest-create-profile-security.html#splunk-create-profile-security), but at the step "Mapping notable event fields for the Splunk Enterprise Security integration" when I click on "Fetch Sample Data" an error is returned: "error while fetching sample events".
I can't find any log in "System logs" to understand the cause of this error. Where can I find more info about this event?
I'm wondering also if privileges assigned to the Splunk account are corrects. I can't find any requirement about that. Any suggestion?
Thank you.
Paolo
Solved! Go to Solution.
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2020 05:03 AM
Hi all, I finally managed to resolve the problem.
First of all I need to configure the role "ess_analyst" on Splunk for the user used by ServiceNow.
This resolved problems in the communications between ServiceNow and Splunk.
There still was an error when ServiceNow try to fetch notable events from Splunk.
With the help of the support we find that the issue was caused due to the 30 seconds timeout of the MID server as the configured Splunk API in the instance is taking more than 30 seconds to fetch the results.
To overcome the 30 seconds timeout provided by the Platform, we have created a system property in the instance 'glide.http.outbound.max_timeout.enabled' and set this value to 'false'.
Hope this helps someone else.
Paolo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2022 05:18 AM
Hi camran,
I mentioned the Mid Server because our Splunk was on-premise, not exposed to the internet, so SN can't call the Splunk APIs.
I think that if you have Splunk Cloud you don't need a mid server.
Paolo
