guilhemmarchand
commented
3 years ago Hi @tcsalone
I will check it out, and will let you know ASAP, the adaptive response action per incident review was working fine earlier, so there might have been a regression I haven't noticed.
However, the best approaches to create JIRA ticket from notable events in a programmatic and automated fashion are the following:
- Create a global alert looking at notable events
Create an alert which enables the JIRA alaert action and looks at the notable events out of ES, say "Notables to JIRA", in this alert that you create in another application name space (like the search app), you takes all notables, then you can for instance filters on notables eventually that match a specific criterias, say:
`notables` | search source=*<my source filter>*A common approach is to maintain in a lookup a list of correlation searches for which the JIRA ticket creation should be enabled, then filter against it, say
`notables` | lookup <my lookup> search_name OUTPUT enable_jira | where enable_jira="true"(this is an example for the explanation purposes)
Then you make sure the alert is configured to trigger for each results, you configure properly the alert action, you can define in the SPL or the lookup additional information you would want to submit while creating the ticket recycling the row results as variables (ex: $result.myfield$) and that's it ;-)
This is approach is the better design and PS recommended.
- Enable the alert action per correlation search
You can as well enable the alert action per correlation search, use the form to set the JIRA options as needed, the trap is to make sure to enable "Trigger for each result" which as to be made out of ES content management UI as it is a different option (you need to go via Settings / Searches, reports and alerts)
So, to summarise, the issues for which you opened is the creation of notable as per a manual action in IR, this is fine and should be working so I will check, but it's not the common way to create JIRAs from notables.
Guilhem
Hello,
Trying to find an easy way to create JIRA tickets from noteable events in ES. Installed "JIRA Service Desk simple addon" v 1.0.26. When we try to create a ticket, we get an error "Adaptive Response Action Cannot Be Dispatched, Unexpected Token < in JSON at position 0".
Basic connectivity seems to work, the app is able to read info from our JIRA instance and populate some dropdown menus. JIRA is hosted in the cloud, we're also on Splunk Cloud 8.1
Turned on debug, dont see any content in the error reporting seraching within the app. Any ideas on where to troubleshoot?