Splunk Event Ingestion integration error

Go to solution
Ewelina3
Giga Contributor

‎04-14-2020 09:05 AM

Hello Community,

I try to set up Splunk Add-On for ServiceNow. I did needful in Splunk and now when I try to do activate integration in SNow, I get following error:
alt text

When I check the logs, there's an info that HTTP status code is 404 or 0 except 200. Do you have any idea what could I did wrong here? Thank you in advance for your help.

Regards,
Ewelina

0 Helpfuls
  • 2,214 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Ashutosh Munot1

‎04-16-2020 11:09 AM

Hey @Ashutosh Munot  - that's correct.

If Splunk is installed locally within a network, behind a DMZ / firewall and is not routable or accessible from the Internet -> you have to and should use a MID Server.

The screenshot of the config in the original post shows that we're not using Splunk Cloud.

  • It shows we're using Splunk Enterprise
  • However, if you check out the URL, Splunk Enterprise is being installed in a cloud host - that could potentially have services opened up to be accessible from the Internet

It sounds like we're after a quick temporary setup, as we're using a Splunk Enterprise Trial.

So, as mentioned, ideally the best approach is to mimic how this would be done, using a MID Server. 

However, another quick win, in this scenario, for a temporary test where Splunk is installed within an Internet accessible environment (as in the cloud) -> would be to open up a network path to the Splunk instance "installed in the cloud" for ServiceNow to establish a connection to it.  This is similar to how this would be performed, when using Splunk Cloud for this integration.

Either way we go here, the got'cha will be -> once the Splunk Enterprise Trial runs out, I don't believe this will work anymore.  It's likely that you cannot setup triggered alerts if the Splunk Trial is up, and that is glue of the integration.

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎04-14-2020 09:20 AM

HI,

 

The image is broken. Can you send it again?

Thanks,
Ashutosh

0 Helpfuls

Go to solution
Ewelina3
Giga Contributor
In response to Ashutosh Munot1

‎04-14-2020 12:21 PM

Sure:

find_real_file.png

Is it visible now?

Best regards,

Ewelina

Preview file
89 KB

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to Ewelina3

‎04-14-2020 12:40 PM

HI,

yes thanks for this. I can see image but can you also check logs and provide the information.


Also we have to check few things like the version of splunk, API password and is your splunk on cloud?

Thanks,
Ashutosh

0 Helpfuls

Go to solution
Ewelina3
Giga Contributor

‎04-15-2020 07:10 AM

Hello, 

Sure, logs are below:

find_real_file.png

Splunk version: Splunk Enterprise Trial 8.0.2 and no, it's not cloud, it's on-premise, but I don't have any MID Server configured.

API login and password I set just as my Splunk user's credentials, is that correct?

Regards,

Maria

Preview file
38 KB