Delay Incident creation using Alert Rule

dbehnood
Tera Expert

‎12-20-2017 09:34 AM

Let me preface this discussion by stating that we create an Incident for ALL Alerts currently. This has led to a large number of Incidents that auto-close themselves in less than 10 minutes (before most of our support groups can even assign them to an 'Assigned to'). A customer introduced a very specific use case to try and counter this: They would like to wait xx minutes after the Alert has been raised prior to automatically opening an Incident.

After meeting with servicenow, we were informed that this should be achievable using the following filter criteria on an Alert Rule: <<Date/Time field>> relative on or after 5 minutes

find_real_file.png

I have tried using the 'Created', 'Initial event time', 'Last event time' fields with the 'Relative on or after' and 'Relative on or before' operators, and have been unsuccessful in delaying the creation of the Incident from the Alert Rule. I also played around with switching 'ago' to 'before now' - all with NO SUCCESS

For those where the rule leveraged a 'Relative on or after' operator, the system immediately created the Incident and associated it to the Alert record seconds after creating the Alert. Conversely, for those where I used the 'Relative on or before' operator, the system NEVER created the Incident - only the Alert.

Has anybody else had a use case similar, and come up with a working solution using either Alert Rules or a custom script?

Labels:
Preview file
10 KB
  • 2,998 Views
7 REPLIES 7

Chetan5
Kilo Contributor

‎07-16-2018 04:50 AM

Hi dbehnood,
 
By any chance you have this working ? Even i am looking for solution to delay auto create incident.
 
Thanks
-CB

 

0 Helpfuls

dbehnood
Tera Expert
In response to Chetan5

‎07-16-2018 07:45 AM

Hey CB,

 

There is no way to do this within rules out of the box I am afraid. I do have a custom script that was given to me by a SNOW engineer, however it is a heavy handed approach. It requires that you delay for ALL alerts, rather than specifying those for specific Types, Nodes, etc.

I am sure it could be modified to include more criteria, but it is not something we felt comfortable implementing and owning through future upgrades. I can't believe the concept of a "dwell period" is not on ServiceNow's roadmap - all competing products include it.

 

-Dom

0 Helpfuls

Chetan5
Kilo Contributor
In response to dbehnood

‎07-17-2018 03:03 AM

Hi Dom,

Thanks for your inputs. I hope snow will support future release.

-CB

0 Helpfuls

Kiran7
Giga Expert
In response to Chetan5

‎07-17-2018 02:32 AM

Hi CB,

You can try to achieve this using workflow remediation:

we can create a task/run script to create Incident and add wait for condition for that specific time after which incident will be created.

  • Create a workflow that uses the em_remediation_task table
  • Add a workflow Create Task (or Run Script) activity to create an Incident.   Although you can use a Task Template in a Create Task activity, you'll likely need to use a script to populate some of the Task fields (e.g. Alert Description -> Incident Short Description)
  • Add wait for condition.
  • Using the existing Alert Rule, clear the Overwrite alert template field and uncheck the Auto-open checkbox on the Actions tab.
  • In the Remediation tab, check the Enable remediation checkbox, set Execution to Automatic and and select the Orchestration workflow you created.

 

Hit helpful/correct on the impact of the answer.

 

Warm Regards,

Kiran Salunkhe

Engineer


www.DxSherpa.com

0 Helpfuls