Alert record remains in 'Open' status even after the event is cleared

Viknesh Pannirs · ‎03-29-2022

Dear Experts,

We are integrating ServiceNow event management with Microsoft Azure. I am facing the below issue during the integration.

"The alert record's status field remains 'Open' even after the event is cleared i.e. when the event comes with the severity 'Ok'."

For better understanding, I will explain the issue in detail.

1. (first event) An event created for a node '123' with the message key 'xxx' and Severity 'Minor'. This has created an alert and an incident as per the configured rules (Alert & Event).

2. (second event) For the same node '123' with the same message key 'xxx', the second event got created with Severity 'Ok' as the issue is resolved.

The existing alert got updated that I could see from the updated timestamp and an incident got resolved. However, the alert's status remain in 'Open'.

Due to this behavior, when the third event comes for the same node with the same message key with severity 'Minor', a the alert is not getting reopened.

Aside, I'd like to see the logs of what's happening on the background when a new event comes to ServiceNow for that what logs should I enable? Please advise.

Many thanks!

Rahul Priyadars · ‎03-29-2022

OOTB when Event Severity is sent as CLEAR it closes the ALERT and Corresponding Incidents.

OOTB event severity as OK will not close ALERT.

As per DOCS

OK: An alert is created. The resource is still functional.
Clear: No action is required. An alert is not created from this event. Existing alerts are closed.

Regards

RP

View solution in original post

Raj_Esh · ‎03-29-2022

Hi Viknesh,

KB0727802 Might fix your issue.

Hope it helps.

Thanks,

Raj

--Raj

Rahul Priyadars · ‎03-29-2022

OOTB when Event Severity is sent as CLEAR it closes the ALERT and Corresponding Incidents.

OOTB event severity as OK will not close ALERT.

As per DOCS

OK: An alert is created. The resource is still functional.
Clear: No action is required. An alert is not created from this event. Existing alerts are closed.

Regards

RP

Viknesh Pannirs · ‎04-01-2022

Thanks Rahul.

Requested the Azure team to send the events with 'Clear' status for cleared events and it resolved the issue.

Can you please also help me for my another question?

" Aside, I'd like to see the logs of what's happening on the background when a new event comes to ServiceNow for that what logs should I enable? "

Rahul Priyadars · ‎04-01-2022

When new event comes to service now _ what precisely u want to see in logs? Event--event rule applied --alert created -----alert correlation---incident created this is what happens on high level. Regards RP