Alert Correlation Rules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-17-2023 07:00 AM
In ServiceNow, for alerts coming from different sources, let me know script to define primary and secondary alerts in alert correlation rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-21-2023 09:34 PM
Hello I am Expert in this field so that i write code into my answer please try it and tell me ho was this:
// This is a sample script to define primary and secondary alerts in an alert correlation rule.
// Define the primary alert condition (example: High severity alerts from a specific source)
var primarySource = 'SourceA';
var primarySeverity = '1'; // Assuming '1' represents high severity
var primaryAlerts = [];
var primaryAlertGr = new GlideRecord('em_alert'); // Replace 'em_alert' with the appropriate table name for alerts
primaryAlertGr.addQuery('source', primarySource);
primaryAlertGr.addQuery('severity', primarySeverity);
primaryAlertGr.query();
while (primaryAlertGr.next()) {
primaryAlerts.push(primaryAlertGr.getValue('alert_id'));
}
// Define the secondary alert condition (example: Medium severity alerts from another source)
var secondarySource = 'SourceB';
var secondarySeverity = '2'; // Assuming '2' represents medium severity
var secondaryAlerts = [];
var secondaryAlertGr = new GlideRecord('em_alert'); // Replace 'em_alert' with the appropriate table name for alerts
secondaryAlertGr.addQuery('source', secondarySource);
secondaryAlertGr.addQuery('severity', secondarySeverity);
secondaryAlertGr.query();
while (secondaryAlertGr.next()) {
secondaryAlerts.push(secondaryAlertGr.getValue('alert_id'));
}
// Now, correlate the primary and secondary alerts based on certain criteria.
// For example, you can create an incident and associate the secondary alerts with the primary alert.
if (primaryAlerts.length > 0) {
// Create an incident for the primary alert
var incidentGr = new GlideRecord('incident'); // Replace 'incident' with the appropriate table name for incidents
incidentGr.initialize();
incidentGr.short_description = 'Primary Alert Incident';
var incidentId = incidentGr.insert();
// Associate the secondary alerts with the incident (update the 'correlation_id' field)
var secondaryAlertGr = new GlideRecord('em_alert'); // Replace 'em_alert' with the appropriate table name for alerts
secondaryAlertGr.addQuery('alert_id', 'IN', secondaryAlerts);
secondaryAlertGr.query();
while (secondaryAlertGr.next()) {
secondaryAlertGr.correlation_id = incidentId;
secondaryAlertGr.update();
}
}
If it's not too much trouble, note that this is only an example content, and you could have to tweak it in light of your particular use case, table names, and field values in your ServiceNow occasion. Moreover, try to completely test any ready connection rules prior to applying them in a creation climate.
