Delay Incident creation using Alert Rule

dbehnood
Tera Expert

‎12-20-2017 09:34 AM

Let me preface this discussion by stating that we create an Incident for ALL Alerts currently. This has led to a large number of Incidents that auto-close themselves in less than 10 minutes (before most of our support groups can even assign them to an 'Assigned to'). A customer introduced a very specific use case to try and counter this: They would like to wait xx minutes after the Alert has been raised prior to automatically opening an Incident.

After meeting with servicenow, we were informed that this should be achievable using the following filter criteria on an Alert Rule: <<Date/Time field>> relative on or after 5 minutes

find_real_file.png

I have tried using the 'Created', 'Initial event time', 'Last event time' fields with the 'Relative on or after' and 'Relative on or before' operators, and have been unsuccessful in delaying the creation of the Incident from the Alert Rule. I also played around with switching 'ago' to 'before now' - all with NO SUCCESS

For those where the rule leveraged a 'Relative on or after' operator, the system immediately created the Incident and associated it to the Alert record seconds after creating the Alert. Conversely, for those where I used the 'Relative on or before' operator, the system NEVER created the Incident - only the Alert.

Has anybody else had a use case similar, and come up with a working solution using either Alert Rules or a custom script?

Labels:
Preview file
10 KB
  • 3,004 Views
7 REPLIES 7

Chetan5
Kilo Contributor
In response to Kiran7

‎07-17-2018 03:07 AM

Hey Kiran,

I will try this on dev instance and let's see how it goes.

Thanks,

-CB

0 Helpfuls

sowmyaprabhakar
Tera Contributor

‎01-18-2025 07:49 PM

I have a similar use case. Did anyone attempted to resolve this. Any past experiences are highly appreciated 

0 Helpfuls

Jeff K1
Kilo Guru

‎01-20-2025 06:11 AM

If it's something that you get multiple events for over a period of time, I'd look at thresholding in the event rule level.

While it is an interesting idea to attempt it at the alert management level based on created or updated time like you've attempted; I'm going to guess that fails you because the alert won't attempt to trigger another alert management rule until it is updated. So your initial not creating an incident immediately works, but then the alert would need to keep being updated until the time gets beyond your trigger.

I'd say adjusting your flow is your best bet to add a wait and recheck the if the alert is closed. But if you really don't want to create a pass-through flow that looks for your exceptions, you can also look at a business rule.

0 Helpfuls