Event Management – Correlation Behavior After 7 Days

Pranita Bahugun
Giga Guru

3 hours ago

Hello all,

We have a requirement to update Event Management integration so that events should no longer correlate to an existing alert once 7 days have passed since the alert was opened. Instead, a new alert should be created, the previous alert should be closed, and the related incident ticket should be updated with a hyperlink to the newly created alert.

Has anyone implemented this type of correlation logic before? Specifically:

  • Which Event Management property or configuration should be used to enforce the 7‑day threshold?

  • How can we automatically close the old alert and update the incident with a link to the new alert?

  • Are there recommended best practices or scripts for handling this scenario?

Any guidance or examples from your implementations would be greatly appreciated.

0 Helpfuls
  • 93 Views
1 REPLY 1

Naveen20
ServiceNow Employee

2 hours ago

Properties to Set

  • evt_mgmt.active_interval1 (1 second) — ensures a new alert is created immediately after the old one is closed, rather than reopening it
  • evt_mgmt.alert_reopens_incidentCreate new incident — so the new alert gets its own incident
  • evt_mgmt.alert_auto_close_interval → leave at 168 (default 7 days) for idle alerts

Custom Scheduled Job 

Since OOB properties only handle idle/closed alerts, create a scheduled job that runs hourly to force-close any open alert older than 7 days based on sys_created_on:

 
 
javascript
var alert = new GlideRecord('em_alert');
alert.addEncodedQuery('stateNOT IN3,4^sys_created_on<javascript&colon;gs.daysAgoStart(7)');
alert.query();
while (alert.next()) {
    // Capture incident ref before closing
    var incidentId = alert.getValue('incident');
    
    alert.setValue('state', '4'); // Closed
    alert.work_notes = 'Auto-closed: exceeded 7-day correlation threshold.';
    alert.update();
    
    // Update incident with note (new alert link added via BR below)
    if (incidentId) {
        var inc = new GlideRecord('incident');
        if (inc.get(incidentId)) {
            inc.work_notes = 'Alert ' + alert.getDisplayValue('number') + 
                ' closed after 7-day threshold. New alert will be linked upon creation.';
            inc.update();
        }
    }
}

Business Rule on em_alert (after insert):

When the next event creates a new alert, link it back to the old incident

 
javascript
var oldAlert = new GlideRecord('em_alert');
oldAlert.addQuery('message_key', current.getValue('message_key'));
oldAlert.addQuery('state', '4');
oldAlert.addQuery('sys_id', '!=', current.getUniqueValue());
oldAlert.orderByDesc('sys_updated_on');
oldAlert.setLimit(1);
oldAlert.query();
if (oldAlert.next() && oldAlert.getValue('incident')) {
    var inc = new GlideRecord('incident');
    if (inc.get(oldAlert.getValue('incident'))) {
        inc.work_notes = 'New alert created: [code]<a href="em_alert.do?sys_id=' +
            current.getUniqueValue() + '">' + current.getDisplayValue('number') + '</a>[/code]';
        inc.update();
    }
}

OOB properties handle the "after close" behavior, the scheduled job enforces the 7-day hard ceiling on open alerts, and the business rule stitches the incident trail together. Test in sub-prod first — especially the timing between the scheduled job closing the alert and the next event arriving.

0 Helpfuls