Hi,

As was already mentioned, the message_key is the Alert key attribute and determines uniqueness. When a new event is processed, if an alert with a matching message_key value is there, it will get updated. Otherwise a new alert will be created.

If the message key field of the event is empty, you can build your own using event rules or count on Service Now to build one for you (using an OOB business rule called "Add message key if missing"). This rule creates message key from the values of the fields below:

<source>_<node>_<type>_<resource>

I have also noticed an issue in one of our customer's implementations where a value was being mapped by a custom rule to the alert's "category" field. This resulted in some alerts being created from new events with the same message key value as already open alerts. The category field value should remain as it is ('default)'. At least this was the case on Istanbul and Jakarta. Haven't had a chance to test that on newer versions.

I hope that helps 🙂

Cheers,

Alex