Reducing Unnecessary Incidents with a Simple Timer

The Problem with Instant Incident Creation

Alerts fire, incidents get created automatically, and then... the issue resolves itself moments later. Or the remediation action just needs a few minutes to complete. Meanwhile, you're left with unnecessary incidents cluttering your queue and potentially incurring costs from external support teams.

Some events are important but not urgent. You want visibility in the Alert console, but you don't need to trigger the entire incident management process immediately—especially when a significant portion of these alerts will self-resolve.

The Solution: Built-in Wait Time

In the latest AIOps release (December 2025), there's now an out-of-the-box "Add wait time" feature for alert automation. This allows alerts time to auto-resolve or downgrade before creating incidents, validating the need for intervention.

Sometimes it's the small features that make the biggest difference in getting started quickly. While you could always build this logic using Flow Designer, having it available OOTB accelerates implementation and standardizes best practices.

Why This Matters

Cost Control: Incidents represent the bulk of operational handling costs. If you're routing incidents to external parties, each one comes with a price tag. Reducing unnecessary incident creation directly impacts your bottom line.

Efficiency: Let automated remediation actions complete their work before escalating. Give your environment a chance to self-heal.

Intelligence Gathering: During the wait time, AI agents can collect diagnostic information around the issue and pre-load the alert with context. If an incident does need to be created, it arrives with relevant logs, metrics, and analysis already attached—giving your team a head start on resolution.

Focus: Your team stays focused on genuine issues rather than chasing transient problems that disappear on their own.

How to Configure It

Assuming you have the latest AIOps experience installed (December 2025 release), here's the path:

1. Navigate to Workspaces → Service Operations Workspace
2. Go to ITOM AIOps Configuration Center
3. Select Optimize → Respond to Alerts
4. Click Create automation
5. Give your automation a name
6. Fill "If these conditions are met..." so the "Automation" is triggered in the right circumstances
7. Jump to "Then, apply the following actions"
8. Switch on "Run other response actions"
9. Select the "Create Incident Advanced" subflow
10. Enable "Add wait time"

From there, you can configure:

• Wait duration (Hours, Minutes, Seconds)
• Conditions to validate after the wait period (e.g., State is not Closed, Severity is Critical)

The system will only create the incident if the alert still meets your defined conditions after the wait period expires.

Real-World Application

Configure wait times based on your alert patterns:

• Infrastructure alerts: 5-10 minutes for auto-remediation to complete and AI agents to gather system diagnostics
• Performance alerts: 3-5 minutes to see if the spike was temporary while collecting performance metrics and trends
• Capacity alerts: Longer waits for trending analysis and resource utilization data collection

The flexibility to set conditions means you can create sophisticated logic: "Wait 5 minutes, then create an incident only if the alert is still open AND severity remains Critical." During those 5 minutes, your automation can trigger diagnostic collection workflows, allowing AI agents to enrich the alert with the information responders will need.

The Bottom Line

This feature represents ServiceNow's commitment to practical, user-driven enhancements. It proves that sometimes the most impactful improvements aren't flashy new modules—they're thoughtful additions to existing workflows that save time, reduce costs, and improve operational efficiency from day one.

Have you implemented wait time logic in your alert automation? Share your use cases and wait time strategies in the comments below!