We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

capability to auto assign P1 priority to a proactive incident when 50%

Snowl13052025
Tera Contributor

3 weeks ago

capability to auto assign P1 priority to a proactive incident when 50% or more devices (Router) at a site location go down.

  1. First router down at a site
    → Create P2 incident (standard BAU behavior).
  2. While Router1 is already down (incident open), Router2 at the same site goes down
    → Check all routers for the site.
    → If more than 50% of routers at that site have active alerts, then:
    • Create a new P1 incident immediately (0 sec wait).
  3. Generic rule
    → If >50% of site routers have active “Router Down” alerts at any time
    Raise P1 with 0 sec wait.

could anyone please help to develop this in the event management 

Thanks in advance.

 

0 Helpfuls
  • 234 Views
2 REPLIES 2

Fabian Kunzke
Mega Sage

2 weeks ago

Hey,

 

This is a perfect use case of when to use a dynamic CI group.

 

Here is my approach:

Firstly, group all routers of a site together into a dynamic CI group.

Next, you need to decide, if you want to have a group alert for all the alerts in the same dynamic CI group - or more sepcifically for this use case. I'd prefer to, as it would mean you only have to create one incident, but that is down to your overall requirements. If you want just one incident, you will need to create an alert grouping rule.

 

Now down to the fun part. The logic here is, that every new alert generated needs to check if more than 50% of all the routers in your site (in the dynamic CI group) are related to an active incident. You can query the svc_ci_assoc table for that. Ideally you filter it down to only operational ones. Next, just check if there are active alerts for each of them. If more than half have active alerts attachted to them you can generate/promote the incident.

 

Put this logic inside a flow and trigger it via an alert management rule and it should solve your usecase.

 

Regards

Fabian

0 Helpfuls

Mohit 101
Tera Contributor

2 weeks ago

Hello @Snowl13052025 ,

According to me you used this all steps 

1. Set up the Dynamic CI Groups 
Instead of manually listing routers, create one Dynamic CI Group per site. 
  • CMDB Group: Create a CMDB Group for each site with a query: Class = Router AND Location = [Site Name].
  • Dynamic CI Group: Link it to the CMDB Group. This group now "owns" all routers at that specific location. 2. Updated Logic for Flow Designer
1. Set up the Flow Trigger
 
  • Create a new Subflow (or copy the OOB Create Incident subflow).
  • Define Inputs: Set an input variable of type Reference pointing to the em_alert (Alert) table.
  • Trigger Mechanism: This subflow will be called by an Alert Management Rule. 
2. Identify the Dynamic CI Group
  • Action: Look Up Record on the cmdb_ci_query_based_service table (the table for Dynamic CI Groups).
  • Condition: Find the record where the Location matches Alert > Configuration Item > Location. 
3. Count Total Routers in the Group
  • Action: Look Up Records on the svc_ci_assoc (Service CI Association) table.
  • Condition: Service ID IS the SysID of the Dynamic CI Group found in Step 2 AND Configuration Item > Class IS Router.
  • Store Count: Use the Count data pill from this action to determine the total router inventory for that site. 
4. Count Routers with Active Alerts
  • Action: Look Up Records on the em_alert table.
  • Condition:
    • State IS NOT Closed OR Resolved.
    • Configuration Item > Location IS Alert > Configuration Item > Location.
    • Description CONTAINS "Router Down".
  • Store Count: Use this Count data pill for the numerator in your calculation.
5. Threshold Calculation & Incident Creation
  • Flow Logic: Add a Custom Script Action or an If condition to calculate the percentage.
  • Condition: If (Active Alert Count / Total Router Count) >= 0.5:
    • Action: Create Record in the incident table.
      • Urgency/Impact: Set to 1 - High (resulting in P1).
      • Description: "Critical Site Outage: >50% Routers Down at [Location]."
      • Wait: Ensure no "Wait" conditions are added to satisfy your 0 second wait requirement.
  • Else (If percentage is < 0.5):
    • Action: Create Record in the incident table with P2 priority. 
6. Link Alerts to the Incident
  • Action: Update Record (the Alert that triggered the flow).
  • Fields: Set the Incident field to the SysID of the incident created in Step 5.
7. Activate via Alert Management Rule 
  • Navigate to: Event Management > Rules > Alert Management Rules.
  • Filter: Description CONTAINS Router Down AND Severity IS Critical/Major.
  • Actions Tab: Select your new Subflow. Set it to run Automatically. 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for.

Thank You

0 Helpfuls