Alert is created even though no event rule is applied

masahironaka
Tera Contributor

We use event management.
We manually triggered the event in a condition where no alert was created to verify.
However, the alert is created and the following message is displayed

message:Event rules are not applied.

so an alert is being created even though there is no event rule applied.

【question】
①Please tell me why an alert is created even though the applicable event rule does not occur.
②Is it possible that the alert is created because of event rule or business rule?

thank you.

5 REPLIES 5

Rahul Priyadars
Giga Sage
Giga Sage

Hi there,

ServiceNow will automatically create an alert using some default processing rules if there is no matching event rule.  There are exceptions -- if the incoming event does not have a usable severity value then alert creation will fail.

One way to demonstrate this to your self is to create a new event using some "dummy" values for various fields.  Go to Event Management > All Events and click on [New] to create a new event.  Fill out the form like this:

  • Source: test
  • Node: <anything you want>
  • Type: type
  • Resource: resource
  • Metric Name: metric
  • Source instance: test
  • Message key: (leave blank)
  • Severity: <choose any value but Clear>
  • Resolution state: New
  • Time of event: <should default to current time>
  • State: <should default to Ready>
  • Alert: <leave blank>
  • Description: <enter something like "test event">
  • Additional information: (leave blank)

Then submit.  Wait a bit, and an alert should be created.  Take a look at the message key that ServiceNow generates for you -- this can be useful information later.

How can you prevent this?

One possible approach is to create a "catchall" event rule (one per source) and set up what you want for defaults.  For instance, you could check the box for "Ignore events that match this filter" on the Event Filter tab, or you could set the severity to a bad value on the Transform and Compose Alert Output tab.

Note that if you create a catch-all rule like this you will "break" the rule suggestion system, so you might not want to use it on your dev system.

if you want to stop "OK" events, you can write a rule that matches your source and severity value of 5 and set the "ignore" flag I mentioned above.

hope this helps you!

 

Regards

RP

Thank you for suggesting a workaround.
What exactly are "some default processing rules"?
Do you know why an alert is created when there are no event rules applied?

I think for this You need to Drill Down in Event Processing Schedule Jobs related - Script Includes.

 

https://docs.servicenow.com/en-US/bundle/vancouver-it-operations-management/page/product/event-manag...

 

Regards

RP

VaranAwesomenow
Mega Sage

In order to debug how alert got generated set system property evt_mgmt.log_debug to true, open the event and select simulate event processing, it should print logs in system logs with source as eventruleengine tat explains how alert is created and what event rules are considered before failing to match an event rule, it also provides details of which event field mapping is used.