Alert CI Not Populating for Events Where CI Is in Message Key
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Hi All,
The node name is present in the Message Key for all events. However, for some events, the CI name is also populated in the event Node field, which results in the Alert Configuration Item being populated correctly. For other events, the CI name is not populated in the Node field and appears only in the Message Key, so the Alert Configuration Item is not populated.
What could be the reason for this behavior?
How can we identify where this is breaking?
What configurations are required in Event Management to ensure the CI name is populated in the Alert Configuration Item?
Can anyone please help with this?
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
hey @umar5
This behavior is typically related to how CI resolution is configured in Event Management.
In ServiceNow Event Management, the Alert Configuration Item is usually populated based on specific event fields such as Node, cmdb_ci, or Resource. By default, the platform does not extract the CI name from the Message Key unless explicitly configured to do so.
In your scenario:
For events where the CI name is populated in the Node field, the system is able to resolve the CI correctly and populate the Alert Configuration Item.
For events where the CI name exists only in the Message Key and not in the Node field, CI resolution fails because the system does not automatically parse the Message Key.
To troubleshoot this, you can follow these steps:
Compare a working event and a non-working event.
Check the values in:
Node
cmdb_ci
Resource
Message Key
Event Class
check Node field is empty for the events where CI is not getting populated.
Review the Event Rule that is processing these events.
Whether CI mapping is configured.
Whether Node is being used for CI resolution.
If any script is used for field transformation.
Verify CMDB data.
The CI exists in CMDB.
The name matches exactly with what is sent in the Node field.
There are no duplicate CI names.
CI Identifier rules support resolution based on the available field (Name, FQDN, IP, etc.).
you can consider one of the following approaches:
Preferred approach: Update the monitoring integration so that the CI name is always populated in the Node field.
Alternatively: Create or modify an Event Rule to extract the CI name from the Message Key and populate the Node field before CI resolution.
Also verify that CI Identifier rules are properly configured to match the incoming value.
In most cases, the issue is due to inconsistent event payloads from the monitoring source.
*************************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
hey @Jeff K1
Hope you are doing well.
Did my previous reply answer your question?
If it was helpful, please mark it as correct ✓ and close the thread 🔒. This will help other readers find the solution more easily.
Regards,
Vaishali Singh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Event Management doesn't care about the message key when it comes to binding to a CI. The message key is mostly used for grouping events under a single Alert.
Without any Event Rule in place, EM will attempt to bind to a Hardware CI, based on the Node.
If you want to override that behavior, you need to go to the Binding tab in the Event Rule and Override default binding.
