Hi there,

ServiceNow will automatically create an alert using some default processing rules if there is no matching event rule.  There are exceptions -- if the incoming event does not have a usable severity value then alert creation will fail.

One way to demonstrate this to your self is to create a new event using some "dummy" values for various fields.  Go to Event Management > All Events and click on [New] to create a new event.  Fill out the form like this:

• Source: test
• Node: <anything you want>
• Type: type
• Resource: resource
• Metric Name: metric
• Source instance: test
• Message key: (leave blank)
• Severity: <choose any value but Clear>
• Resolution state: New
• Time of event: <should default to current time>
• State: <should default to Ready>
• Alert: <leave blank>
• Description: <enter something like "test event">
• Additional information: (leave blank)

Then submit.  Wait a bit, and an alert should be created.  Take a look at the message key that ServiceNow generates for you -- this can be useful information later.

How can you prevent this?

One possible approach is to create a "catchall" event rule (one per source) and set up what you want for defaults.  For instance, you could check the box for "Ignore events that match this filter" on the Event Filter tab, or you could set the severity to a bad value on the Transform and Compose Alert Output tab.

Note that if you create a catch-all rule like this you will "break" the rule suggestion system, so you might not want to use it on your dev system.

if you want to stop "OK" events, you can write a rule that matches your source and severity value of 5 and set the "ignore" flag I mentioned above.

hope this helps you!

Regards

RP