Creating alerts from Events and Incidents from Alerts

Fares1
Kilo Expert

Hello!

I have to put in place a system of Incident creation based on Inbound Email Actions.
I managed to create an Event rule that creates events according to the conditions put in place by the customer, however I can't see where I can create an "alert rule" that creates alerts when these kinds of events are created.

I think Alert Management rules can create incidents but my main issue is the Event rule - Alert rule correlation.

 

Thanks in advance,
Fares K.

1 ACCEPTED SOLUTION

Gianpaolo Pagan
ServiceNow Employee
ServiceNow Employee

Hi Fares,

 

If you have events that are properly populated, with all the key fields correctly set then Alerts are automatically created.

Then you have to make sure you have the message key field properly and consistently populated so that alerts can be updated when new update events come in (see this post).

Are you seeing no value in the alert field for the events you are getting?

 

Gp

View solution in original post

3 REPLIES 3

Gianpaolo Pagan
ServiceNow Employee
ServiceNow Employee

Hi Fares,

 

If you have events that are properly populated, with all the key fields correctly set then Alerts are automatically created.

Then you have to make sure you have the message key field properly and consistently populated so that alerts can be updated when new update events come in (see this post).

Are you seeing no value in the alert field for the events you are getting?

 

Gp

Thanks for your answer Gianpaolo!

I'm very new to this part of Event Management, do you know how we can test Inbound email actions event rules?

 

I think i'll be able to manage the rest after that.

robertgeen
Tera Guru

So in order to do what you want to do you need to do the following:

Enable inbound email capabilities if they aren't turned on already

Setup a inbound notification action (as you already have) and lock it down to a specific user or email address (so only that email address assigned to the user will match it)

In your inbound notification action you need to make sure that you set the Time of Event field (it may be called initial time of event) to whatever time the email was received at. This is SUPER important as the email pickup job only runs every 2 minutes I believe and if you have a bunch of severity messages followed by clears it will not process right when they get put in the event table (e.g. the clear may get processed before the severity setter because all emails of the last 2 minutes would get picked up and parsed at the same time and the create time would be as if they all happened at the same time).

Your inbound notification should translate the body and subject and create an em_event entry that has node, description, type, and severity set. If you have these basic things set then you won't need an event rule to create an alert.

Once this is done you will need an alert action rule with a filter that matches that alert to auto open the incident. You may need to modify the out of the box customincidentpopulator or use a integration hub flow (depending on the version you are on) to set the fields you want to set on the incident if they don't set correctly out of the box.

I hope this helps and if it does please mark an answer as correct. Thanks!