Updating Splunk Notable Event from Servicenow

arpitt · ‎04-10-2019

Hi Champs,

I am trying to make a connection to splunk to update the notable event, but getting 400 error. Kindly suggest.

Error screenshot below:

andy_ojha · ‎04-10-2019

Hey there,

A few items to check out:

The user account leveraged here, what permissions does it have; does it include `edit_notable_events` capability?

It almost appears as though the request might be malformed when it reaches Splunk (based on 400 error)
- Are you able to replicate this POST message using another tool / client like Curl or Postman, to validate your ability to remotely update notable events successfully?
- - I would go this route first, and structure a few POST messages that work successfully
  - Start small with something basic like updating the Urgency of an ES Notable
- You can try increase the logging on your REST Message in ServiceNow (Set HTTP Log Level related link, on the POST message) and then check what it looks like via System Logs -> Outbound HTTP Requests

If you are unsuccessful at crafting a POST message using Curl or Postman, your best bet would be to submit a question to the Splunk community (answers.splunk.com).

Then you could take your ironed out POST message to update an ES Notable and re-create that in ServiceNow.

Hope that helps.

View solution in original post

andy_ojha · ‎04-10-2019

Hey there,

A few items to check out:

The user account leveraged here, what permissions does it have; does it include `edit_notable_events` capability?

It almost appears as though the request might be malformed when it reaches Splunk (based on 400 error)
- Are you able to replicate this POST message using another tool / client like Curl or Postman, to validate your ability to remotely update notable events successfully?
- - I would go this route first, and structure a few POST messages that work successfully
  - Start small with something basic like updating the Urgency of an ES Notable
- You can try increase the logging on your REST Message in ServiceNow (Set HTTP Log Level related link, on the POST message) and then check what it looks like via System Logs -> Outbound HTTP Requests

If you are unsuccessful at crafting a POST message using Curl or Postman, your best bet would be to submit a question to the Splunk community (answers.splunk.com).

Then you could take your ironed out POST message to update an ES Notable and re-create that in ServiceNow.

Hope that helps.

andy_ojha · ‎04-10-2019

Also - there are differences between Splunk Cloud and Splunk Enterprise (on-premise)... Depending on which environment you are working with, your target URL will be different.

This would also be handy to include in your question to (answers.splunk.com) if you post your question there as well.

Eric Smith · ‎07-26-2022

hi there. hope you've found a solution. i'd like to propose another approach toward this integration. we use connectors (one in particular) to connect and sync the systems - zigiops. and we did not encounter any issue, it is still perfectly working. upon connecting splunk and snow it can easily update either of the systems in question.

Ganesh90 · ‎08-16-2023

Hi Eric, we are also using the splunk on cloud with ootb coonector, problem i am facing is that its not fetching the updated notable event.

Once servicenow fetched the event and then after updating that event in splunk es console for escalation its not getting updated in servicenow es import table and not matching out escalation creteria to create SIR