Alert Management Rule triggered on age
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2025 02:30 PM
Its my undertanding that alert management rules only trigger on a update to the alert record.
Is there a way to leverage an alert management rule based on the age of the alert? example increase severity if open after 30 minutes.
My guess is no since they only seem to evaluate upon an update and thinking I will just need to create a flow to do this.
With the introduction of flow some time back now, I am not really sure the value of Alert Management Rules to kick off Remediation Subflows
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2025 06:39 PM
Hello @StephenM
If I am understanding this correct are you talking about "event rules" ? These event rules will be working when alert is raised but still incident kr anything is not created from it. Alert is generated from an event. So that can work.
If you are not talking about this - then
Out of the box - no. Using time based parameters in Alert rules such as 'Created' "relative on or after 5 minutes ago" does not work I am afraid. I was gifted some custom code by one of the SNOW ITOM guys but we never leveraged it. It forced you to wait on ALL alerts before creating an Incident: basically it sets a universal dwell period.
Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for the efforts and also move this questions from unsolved to solved bucket.
Regards,
Shivalika
My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194
My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2025 02:18 PM
Event rules are run when events come into the system and process them into Alerts.
I am looking to trigger a change to the Alert if its been open for more then 30 minutes.
Its advised to not create business rules against the EM_Alert table so I am not looking for that.
Seems I have two options
Create an alert management rule that kicks off a subflow that has a 30 minute wait
or
Create a flow that against the em_alert table.
I am thinking the alert management rule will be more efficient as it will only create a subflow when the criteria is matching instead of constantly evaluating the em_alert table via Flow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2025 07:20 PM
Yes @StephenM
These approaches are feasible as directly creating on time based parameters is not feasible.
I would also second the alert management rule approach.
Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for the efforts and also move this questions from unsolved to solved bucket.
Regards,
Shivalika
My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194
My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOwNeEISQCY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2025 07:41 AM - edited 04-30-2025 07:42 AM
I recommend that you take a look at the SRE components in ServiceNow, currently called Service Reliability Management (formerly Site Reliability Operations). It does add some management and config, but it might be interesting if you are looking to escalate Alerts that are not acted upon in a timely manner, and gives you flexibility and options, and the management of the specific configuration can be handled by team leaders rather than yourself, if you show them how to do it.
