Alert management rules & subflows

Fares1 · ‎02-07-2019

Hey!

I have an issue with my Alert Management Rule.

The context is that a customer wants to generate alerts (and incidents) using keywords from the subject and body of the mail. The alert generation is handled by an Inbound Action that creates said alerts.

The tricky part is generating the incident. I decided to create an Alert Management Rule to handle that using a set of filters and my action being a remediation Subflow. The Subflow as it own works perfectly when I try to test it ==> generates incident. However when the rule is applied, no Incident is generated (cf alert.png)

The subflow is inspired from the original "Create Incident" subflow from ServiceNow, I just modified it to suit my customers preferences (cf flow.png)

Is there a certain subtility I'm missing?
Thanks in advance for your help.

Gianpaolo Pagan · ‎02-07-2019

It seems the subflow actually triggered, are you saying it actually triggers but you still don't see the incident created?

If so I would suggest you to open the flow execution in flow designer and look at each step to see where it's failing.

Gp

View solution in original post

Edward Ian · ‎02-09-2019

GP, our event management setup are base on type of alert being pulled in SCOM, like CPU High, Memory High, Heartbeat Failed, IIS service has stopped and many more. Now we created separate alert management rules for Middleware alert and one for Windows alert, whats happening now is let say when a windows heartbeat alert triggered, it is expected that the incident ticket will be automatically routed to Windows Team however the incident ticket was assigned to Middleware, when I check the Alert execution for the triggered Windows heartbeat alerts, it executed the middleware alert management rule and same time it executed windows alert management rule, with the middleware alert management rule created the incident ticket instead of the intended windows alert. I suspect that this is because Multiple Alert Rules: Search for additional rules is activated, can you please advise if this is the cause on why we have two rules being executed at the same time.

Also can you advise which is the best practice for Alert Filter Stage (Alert changes to filter or Alert matches filter)

Hope you could assist us on this. thanks for your time.

Gianpaolo Pagan · ‎02-11-2019

Based on what I read I can envision 2 scenarios:

Better qualifying the alert filters so that it matches the only the desired alerts
If it is normal that more than one rule can open incidents depending on alert creation order then
1. in the alert info make sure you have different order execution values for the 2 rules.
2. make sure that in the alert filters you set "task is empty".

You could even customize the subflow for a more granular control but for your use case shouldn't be required.

I hope this helps.

Gp

Edward Ian · ‎02-12-2019

Thanks GP for your inputs, actually our alert rules was only migrated from Alert Action Rule of Kingston that why we don't use any flow designer, actually now our Alert Management rule is now executing the correct alert rule however its assigning it to ServiceDesk which we didn't define in our alert rule. So totally weird in using the Alert Management Rule.

venakula · ‎02-12-2019

Hi GP,

can you help here please

https://community.servicenow.com/community?id=community_question&sys_id=0b785fb5dbef6340afc902d5ca9619ef

stevemacamway · ‎02-07-2019

Fares - do you really need to use a custom sub-flow to generate the Incident? We are using the "EvtMgmtCustomIncidentPopulator" Script Include to customize some of the field data in the generated Incident, and it works great.

https://docs.servicenow.com/bundle/kingston-it-operations-management/page/product/event-management/task/alert-task-populator-script.html