ServiceNow Security Operations Integration add-on for Splunk fails to create ServiceNow Security Incident/EventIssue <!-- div.margin{ padding: 10px 40px 40px 30px; } table.tocTable{ border: 1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } table.noteTable{ border:1px solid; border-color:#E0E0E0; background-color: rgb(245, 245, 245); width: 100%; border-spacing:2; } table.internaltable { white-space:nowrap; text-align:left; border-width: 1px; border-collapse: collapse; font-size:14px; width: 85%; } table.internaltable th { border-width: 1px; padding: 5px; border-style: solid; border-color: rgb(245, 245, 245); background-color: rgb(245, 245, 245); } table.internaltable td { border-width: 1px; padding: 5px; border-style: solid; border-color: #E0E0E0; color: #000000; } .title { color: #D1232B; font-weight:normal; font-size:28px; } h1{ color: #D1232B; font-weight:normal; font-size:21px; margin-bottom:-5px } h2{ color: #646464; font-weight:bold; font-size:18px; } h3{ color: #000000; font-weight:BOLD; font-size:16px; text-decoration:underline; } h4{ color: #646464; font-weight:BOLD; font-size:15px; text-decoration:; } h5{ color: #000000; font-weight:BOLD; font-size:13px; text-decoration:; } h6{ color: #000000; font-weight:BOLD; font-size:14px; text-decoration:; } ul{ list-style: disc outside none; margin-left: 0; } li { padding-left: 1em; } --> Symptoms When using the ServiceNow Security Operations Integration add-on for Splunk, clicking on "Create ServiceNow Security Incident" for an event on Splunk fails to create a security incident on the ServiceNow instance. On the Incident Review page, select an event and from the "Actions" dropdown, click on "Create ServiceNow Security Incident". If a new tab opens with the Incident Review page again, the Security Incident won't be created on the ServiceNow instance. Environment Splunk Enterprise Security Cause Expected Result:Once you click on "Create ServiceNow Security Incident", a new tab is opened and the search view is presented. When the search view opens in a new tab, a python script on Splunk is triggered which sends a REST request to the ServiceNow table API for the Splunk import table. Actual Result:A new tab is opened and the Incident Review page is presented again. Security incident is not created on ServiceNow. Since the Incident Review page opens again, the python script that is supposed to make the REST request is never triggered and that's the reason no REST request is sent to the ServiceNow instance. This might happen if the workflow-actions for createsnsecevent and createsnsecincident are misconfigured. The "Run in app" and "Open in view" values might be empty in the Search Configurations for these workflow-actions causing the action to open the same page (Incident Review) again instead of the search view. Resolution Go to Manage Apps.Look for ServiceNow Security Operations Integration. Click on "View Objects" for this app. You'll be able to see "createsnsecevent" and "createsnsecincident" workflow-actions. Open both and make the following changes: Scroll Down to the Search Configurations sections. For "Run in app", select "search" from the dropdown.For "Open in view", type "search" Click on Save.Make sure to repeat the same for the other workflow action as well even though you do not use it. This is because, it is suspected that the configurations for one might override the other. It's for this reason that you need to make sure you correct this in both workflow-actions. Additional Information Getting started with the ServiceNow Security Operations add-on for Splunk