Alert Correlation Rule Not working for Flapping (reopend) alerts - Tag based alert Correlation Rule.

Pratik Malviya
Tera Guru

3 weeks ago - last edited 3 weeks ago

 

Hi ServiceNow Enthusiast,

I have configured an alert correlation rule using Alert Automation in the Service Operations Workspace (SOW). The alert grouping is functioning as expected for newly generated alerts; however, it does not appear to work for older alerts (approximately 30 days old) that have been reopened.


The correlation is based on tags (e.g., location) with a 15-minute time window.


Could you please assist in reviewing this behavior and advise on how it can be addressed? Your support in this matter would be greatly appreciated.


Thank you.



PratikMalviya_0-1777356547766.png

 






Please mark the appropriate response as correct answer and helpful, This may help other community users to follow correct solution.
Thanks,
Pratik Malviya
0 Helpfuls
  • 499 Views
4 REPLIES 4

Ankur Bawiskar
Tera Patron

3 weeks ago

@Pratik Malviya  

not very sure on this part.

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

MattSN
Mega Sage

3 weeks ago

 

There are a couple of properties to look at 
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1346251


Also check evt_mgmt.active_interval property

 

0 Helpfuls

Pratik Malviya
Tera Guru
In response to MattSN

3 weeks ago - last edited 3 weeks ago

Thanks @MattSN ,

However this would affect to all the correlation alert grouping. I want it for specific Alert Correlation rule.

Please mark the appropriate response as correct answer and helpful, This may help other community users to follow correct solution.
Thanks,
Pratik Malviya
0 Helpfuls

RemcoLengers
ServiceNow Employee

a week ago - last edited a week ago

I have looked at this before and recall the following intended behavior. If the message keys are the same and alerts are re-opened and it is outside the original correlation window there will be no correlation re-applied. The rationale is that the problems are unlikely to be related to something that has happend 20 days ago. 
So this behaves are designed.

We implemented a, NOT officially, recommended tweak that clears the Event message key at Alert closure. To have each new Event seen as a new Alert and be considered for Alert grouping. Not without down sides but it could work. I'd make the  message key clearing flow only clear the subset of events that need this exact behavior to minimize the impact.

0 Helpfuls