Event Management - Disable Correlation for specific source

Jeffreys Quinti · ‎02-08-2024

Hi ServiceNow community,

In our environement we have Event Management with CMDB and Automated alert correlation activated.

We have a specific use case: For a specific Alert source, we do not want to correlate alerts. More precisely:

-We have Events that come in for automated jobs that fail to execute and need human intervention.
-These events are bound to the same CI for example a node.
-We would like to have 1 Task opened for each failed job.

The issue is:

-In some cases multiple jobs have failed and need individual attention.
-Alerts are correlated together and open 1 ticket linked to a GROUP alert.
-This creates confusion with users, as it's not clear multiple jobs have failed unless you drilldown into the group alert and the secondary alerts.

I'd like to know if there's a way to disable alert correlation for a specific source? I've tried using alert correlation rules, but to no avail.

Best regards,
Jeff

AJ-TechTrek · ‎02-09-2024

Hi @Jeffreys Quinti ,

You can create the custom Alerts Correlation rule , refer the below ,which might help.

https://docs.servicenow.com/bundle/washingtondc-it-operations-management/page/product/event-manageme...

https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/event-management/...

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

Jeffreys Quinti · ‎02-09-2024

Hi Ajay,

Yes I've tried to create a custom Alert Correlation rule, which based on it's filter would return only the primary alert to avoid correlation. This does not seem to work, as it does not seem to run.

Can you show me an example ACR script that would disable alert correlation?

Thanks