Event Management - Auto Close Alerts

Jonny Lord · ‎11-29-2018

Hi Community,
Forgive the newb question please 🙂

We have just had Service Now Kingston installed and have various stream of the implementation project working in tandem. I currently have the event mgmt stream and have a question that i cannot work out the answer to.

I have successfully configured Service Now to receive events from Orion Solar winds and OEM.
Issue
Orion sends an event in that says 'SERVER XYZ has stopped responding' that is then raising an alert in the console.
The events state then changes to Processed.

SERVER XYZ is then rebooted and an event is received into ServiceNow saying 'SERVER XYZ Rebooted @ 10PM'
AND/OR
10 minutes later, a new event is received in ServiceNow to say 'SERVER XYZ is responding again'

How do i tie that back to the Open Alert in the Console that then auto closes and clears it once the reset has been received or once the device is responding again?

My Alert console is littered with open Alerts where resets and devices back online events were received days ago.
Hope that makes sense!
Thanks

robertgeen · ‎11-29-2018

Hello Jonny,

There are 2 ways to do this. The first thing you need to understand that if the monitoring source is sending a clear message then what matters is that the message_key that is generated matches on the alert that is already there and it should auto close it. Out of the box if you aren't setting a message key it will concatenate Source, Type, Node, Resource, and Metric Name to make one. The second thing that can be done is if it doesn't typically send a clear but resets back to info or something and there is another attribute which dictates that it's resolved then you can have the monitoring endpoint set the Resolution_state attribute on the event to Closing and this will auto close the alert it matches too.

Hope this helps :).

View solution in original post

stevemacamway · ‎11-29-2018

(This does not specifically respond to Ops original question, but I'm looking for clarification on something Robert Green mentioned in his first response.)

@Robert: Regarding this:

The second thing that can be done is if it doesn't typically send a clear but resets back to info or something and there is another attribute which dictates that it's resolved then you can have the monitoring endpoint set the Resolution_state attribute on the event to Closing and this will auto close the alert it matches too.

Could the 'other attribute' be used in an Event Field Mapping with the other attribute mapped to the appropriate severity values?

Steve

robertgeen · ‎11-29-2018

That is a great question. I have never done it but honestly I dont see why not. It all depends in the backend code and whether those rules would run before the resolution state check. Give it a shot!

stevemacamway · ‎11-29-2018

Thanks Robert!

(And sorry about getting your name wrong...)

Steve

robertgeen · ‎11-29-2018

It's all good my friend. You can make up for it by marking my post helpful 😉

stevemacamway · ‎11-29-2018

(This does not specifically respond to Ops original question, but I'm looking for clarification on something Robert Green mentioned in his first response.)

@Robert: Regarding this:

The second thing that can be done is if it doesn't typically send a clear but resets back to info or something and there is another attribute which dictates that it's resolved then you can have the monitoring endpoint set the Resolution_state attribute on the event to Closing and this will auto close the alert it matches too.

Could the 'other attribute' be used in an Event Field Mapping with the other attribute mapped to the appropriate severity values?

Steve