Duplicate alert created - Alert clustering definition

Madhan27 · ‎08-08-2025

HI Community,

I would appreciate your guidance in the Event Management space. I triggered 3 alerts with the same node. It was tagging with alert clustering tag "Groups alert with same node". And 3 alerts were grouped and the earliest and highest priority alert will becomes the parent alert and incident is creating for that.

Along with the 3 incidents, Some how it is creating an 4 alert because of the grouping and making as an primary alert and incident was creating for this.

So in this group we can see two incidents created. Once incident for the secondary and one for the primary.

ASK: I don't want the extra primary alert to be created other than the alerts which I created.

TIA
#Eventmanagement #AlertGrouping #ClusteringDefinitions #ITOM

Mannapuram · ‎08-11-2025

@Madhan27 You mean the very Alert Clustering shouldn't happen? This is driven by tag-Based Alert Clustering Definition (sn_em_tbac_alert_clustering_definitions). Here, there are definitions, to cluster all the alert raised for same node in the last 10 min (this is OOB - Group alerts with the same Node).

If you are not looking for this, Please explain your ask clearly.

AJ-TechTrek · ‎08-11-2025

Hi @Madhan27 ,

As per my understanding , below will might help you.

Why You’re Getting the Extra Primary Alert

When you use an Alert Correlation / Clustering rule like "Groups alert with same node":
* ServiceNow creates a group container alert (often tagged with Group Alert) to serve as the parent.
* The original alerts you triggered become secondary alerts in that group.
* That “Group Alert” is a new alert record, not one of your original three.
* Since your Create Incident rule is firing on primary alerts (including the Group Alert), an incident is created for both:
1. The Group Alert (primary)
2. The earliest/highest-priority secondary alert (if it was also eligible).
This is why you’re ending up with two incidents for the same group.

How to Stop the Extra Primary Incident

You need to exclude Group Alerts from Incident creation.

Option 1 — Update the Create Incident Rule Condition
* Edit the Alert Action Rule (or Incident Creation rule) in Event Management.
* Add a condition to exclude group/parent alerts, for example: AND [Alert tag] != Group Alert or AND [alert_type] != 'Group'
* This ensures incidents are only created for your original incoming alerts.

Option 2 — Change the Grouping Logic
If you want the first incoming alert to become the parent (instead of creating a synthetic “Group Alert”):
* Switch from Clustering to Correlating in the Alert Management Rule.
* Correlation rules can merge alerts without generating a new synthetic alert record.
* Downside: you lose the nice “group container” in the UI.

Option 3 — Keep the Group Alert, but Disable Its Incident Creation
* Keep your grouping rule as-is.
* Create two Create Incident rules:
1. One that excludes Group Alert tag (for original alerts).
2. One specifically for Group Alert that does nothing (stops incident creation).

Recommended Fix as per my experience -
Since you specifically said "I don’t want the extra primary alert to be created other than the alerts which I created", the fastest way is:
1. Go to Event Management → Alert Action Rules (or Incident Creation rule).
2. Edit the condition: [Tag] != "Group Alert"
3. or [Correlation ID] IS EMPTY
4. Save and test by triggering your 3 alerts again — you should get:
* 1 Incident (from the earliest/highest-priority original alert)
* 3 alerts in the group
* No extra incident from the synthetic group alert

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025