Splunk Event Ingestion integration error

Go to solution
Ewelina3
Giga Contributor

‎04-14-2020 09:05 AM

Hello Community,

I try to set up Splunk Add-On for ServiceNow. I did needful in Splunk and now when I try to do activate integration in SNow, I get following error:
alt text

When I check the logs, there's an info that HTTP status code is 404 or 0 except 200. Do you have any idea what could I did wrong here? Thank you in advance for your help.

Regards,
Ewelina

0 Helpfuls
  • 2,217 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ashutosh Munot1

‎04-16-2020 11:09 AM

Hey @Ashutosh Munot  - that's correct.

If Splunk is installed locally within a network, behind a DMZ / firewall and is not routable or accessible from the Internet -> you have to and should use a MID Server.

The screenshot of the config in the original post shows that we're not using Splunk Cloud.

  • It shows we're using Splunk Enterprise
  • However, if you check out the URL, Splunk Enterprise is being installed in a cloud host - that could potentially have services opened up to be accessible from the Internet

It sounds like we're after a quick temporary setup, as we're using a Splunk Enterprise Trial.

So, as mentioned, ideally the best approach is to mimic how this would be done, using a MID Server. 

However, another quick win, in this scenario, for a temporary test where Splunk is installed within an Internet accessible environment (as in the cloud) -> would be to open up a network path to the Splunk instance "installed in the cloud" for ServiceNow to establish a connection to it.  This is similar to how this would be performed, when using Splunk Cloud for this integration.

Either way we go here, the got'cha will be -> once the Splunk Enterprise Trial runs out, I don't believe this will work anymore.  It's likely that you cannot setup triggered alerts if the Splunk Trial is up, and that is glue of the integration.

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to Ewelina3

‎04-15-2020 08:38 AM

HI,

MID is compulsory for on premise splunk environment.


thanks,
Ashutosh

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎04-15-2020 09:19 AM

Hey there,

Noticed that you are attempting this with the "insecure" URL - which I don't believe is turned on by default (I think you have to explicitly make a config change in Splunk for connections to be allowed without HTTPS)..
  - Did you have an issue with a self-signed certificate, and resort to this method?
  - I would try updating that URL to use HTTPS and see if that moves this forward

In your Azure setup, are you going to allow the inbound connections directly from ServiceNow, or will you plan to setup a ServiceNow MID Server?  Response code 0 for the request, seems like the connection is being blocked / refused...

Each setup would require a particular set of network rules to get this to work:
 - ServiceNow -> ||Azure|| -> MID Server -> Splunk Enterprise Trial
 - ServiceNow -> ||Azure|| -> Splunk Enterprise Trial 

If you are trying to go direct to the Splunk Trial -> would validate that your Azure setup allows network connections to support that (your target host and port#). 

To simulate how you'd actually set this up in a "production network", you might consider standing up a ServiceNow MID Server.   You could even install the MID Server Agent locally onto the host you are already working with; and then just tell ServiceNow to go through that MID Server, and connect to Splunk locally (https://localhost:8089).  This would prove out a quick setup, which it sounds like you might be targeting.

If you move beyond the network connection issue, and still have problems, it would not hurt to double check with your Splunk Sales Team, just to confirm that the Splunk Enterprise Trial supports REST API connections.

If you still don't have luck -> would open up a ServiceNow HI Support Ticket.

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to andy_ojha

‎04-15-2020 09:47 AM

Hi,
As far as i know we need MID for on Premise Splunk.

Thanks,
Ashutosh

0 Helpfuls

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ashutosh Munot1

‎04-16-2020 11:09 AM

Hey @Ashutosh Munot  - that's correct.

If Splunk is installed locally within a network, behind a DMZ / firewall and is not routable or accessible from the Internet -> you have to and should use a MID Server.

The screenshot of the config in the original post shows that we're not using Splunk Cloud.

  • It shows we're using Splunk Enterprise
  • However, if you check out the URL, Splunk Enterprise is being installed in a cloud host - that could potentially have services opened up to be accessible from the Internet

It sounds like we're after a quick temporary setup, as we're using a Splunk Enterprise Trial.

So, as mentioned, ideally the best approach is to mimic how this would be done, using a MID Server. 

However, another quick win, in this scenario, for a temporary test where Splunk is installed within an Internet accessible environment (as in the cloud) -> would be to open up a network path to the Splunk instance "installed in the cloud" for ServiceNow to establish a connection to it.  This is similar to how this would be performed, when using Splunk Cloud for this integration.

Either way we go here, the got'cha will be -> once the Splunk Enterprise Trial runs out, I don't believe this will work anymore.  It's likely that you cannot setup triggered alerts if the Splunk Trial is up, and that is glue of the integration.

0 Helpfuls

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to andy_ojha

‎04-16-2020 12:59 PM

Yes. Even we can try to open that URL from organisation network, as per my knowledge it will reach that end point. But if we try to do that using external network it will fail.

Thanks

Ashutosh