Alert record remains in 'Open' status even after the event is cleared

Viknesh Pannirs · ‎03-29-2022

Dear Experts,

We are integrating ServiceNow event management with Microsoft Azure. I am facing the below issue during the integration.

"The alert record's status field remains 'Open' even after the event is cleared i.e. when the event comes with the severity 'Ok'."

For better understanding, I will explain the issue in detail.

1. (first event) An event created for a node '123' with the message key 'xxx' and Severity 'Minor'. This has created an alert and an incident as per the configured rules (Alert & Event).

2. (second event) For the same node '123' with the same message key 'xxx', the second event got created with Severity 'Ok' as the issue is resolved.

The existing alert got updated that I could see from the updated timestamp and an incident got resolved. However, the alert's status remain in 'Open'.

Due to this behavior, when the third event comes for the same node with the same message key with severity 'Minor', a the alert is not getting reopened.

Aside, I'd like to see the logs of what's happening on the background when a new event comes to ServiceNow for that what logs should I enable? Please advise.

Many thanks!

Rahul Priyadars · ‎03-29-2022

OOTB when Event Severity is sent as CLEAR it closes the ALERT and Corresponding Incidents.

OOTB event severity as OK will not close ALERT.

As per DOCS

OK: An alert is created. The resource is still functional.
Clear: No action is required. An alert is not created from this event. Existing alerts are closed.

Regards

RP

View solution in original post

Viknesh Pannirs · ‎04-03-2022

Hi Rahul,

Yes, that's flow I need to see in logs.

What logs should I enable to see them getting processed?