Creating alerts from Events and Incidents from Alerts

Go to solution
Fares1
Kilo Expert

‎01-31-2019 03:11 AM

Hello!

I have to put in place a system of Incident creation based on Inbound Email Actions.
I managed to create an Event rule that creates events according to the conditions put in place by the customer, however I can't see where I can create an "alert rule" that creates alerts when these kinds of events are created.

I think Alert Management rules can create incidents but my main issue is the Event rule - Alert rule correlation.

 

Thanks in advance,
Fares K.

Labels:
0 Helpfuls
  • 3,728 Views
1 ACCEPTED SOLUTION

Go to solution
Gianpaolo Pagan
ServiceNow Employee
ServiceNow Employee

‎01-31-2019 03:43 AM

Hi Fares,

 

If you have events that are properly populated, with all the key fields correctly set then Alerts are automatically created.

Then you have to make sure you have the message key field properly and consistently populated so that alerts can be updated when new update events come in (see this post).

Are you seeing no value in the alert field for the events you are getting?

 

Gp

View solution in original post

3 REPLIES 3

Go to solution
Gianpaolo Pagan
ServiceNow Employee
ServiceNow Employee

‎01-31-2019 03:43 AM

Hi Fares,

 

If you have events that are properly populated, with all the key fields correctly set then Alerts are automatically created.

Then you have to make sure you have the message key field properly and consistently populated so that alerts can be updated when new update events come in (see this post).

Are you seeing no value in the alert field for the events you are getting?

 

Gp

Go to solution
Fares1
Kilo Expert
In response to Gianpaolo Pagan

‎01-31-2019 04:04 AM

Thanks for your answer Gianpaolo!

I'm very new to this part of Event Management, do you know how we can test Inbound email actions event rules?

 

I think i'll be able to manage the rest after that.

0 Helpfuls

Go to solution
robertgeen
Tera Guru

‎01-31-2019 05:53 AM

So in order to do what you want to do you need to do the following:

Enable inbound email capabilities if they aren't turned on already

Setup a inbound notification action (as you already have) and lock it down to a specific user or email address (so only that email address assigned to the user will match it)

In your inbound notification action you need to make sure that you set the Time of Event field (it may be called initial time of event) to whatever time the email was received at. This is SUPER important as the email pickup job only runs every 2 minutes I believe and if you have a bunch of severity messages followed by clears it will not process right when they get put in the event table (e.g. the clear may get processed before the severity setter because all emails of the last 2 minutes would get picked up and parsed at the same time and the create time would be as if they all happened at the same time).

Your inbound notification should translate the body and subject and create an em_event entry that has node, description, type, and severity set. If you have these basic things set then you won't need an event rule to create an alert.

Once this is done you will need an alert action rule with a filter that matches that alert to auto open the incident. You may need to modify the out of the box customincidentpopulator or use a integration hub flow (depending on the version you are on) to set the fields you want to set on the incident if they don't set correctly out of the box.

I hope this helps and if it does please mark an answer as correct. Thanks!