Event Management - OK/Clear Events Generating New Alerts

CoryJ · ‎03-07-2024

Previously for incoming sources we had our Event Resolution State set to "Closing" in order to auto-close the alert on OK. We recently tried to update this to prevent the alert from auto-closing so that the incident resolution itself can close the alert.

It seems that our change now allows OK/Clear events to generate new alerts by themselves (why the source systems are sending OKs without a critical is still under investigation) ... where prior when set to "Closing" these events did not create alerts.

So the question is - how can we allow incoming OK events to update the status of an existing alert, but at the same time not create a new alert if it is the first event? It seems strange that ServiceNow creates the new alert, but I understand possibly for different use cases/etc.

What we've tried so far ...

Setting Event resolution_state to "New"

Setting Event resolution_state to "Clear" (found in some OOTB connector scripts)

I've dug all around and I can't find existing OOTB functionality to handle this scenario. Any insights?

Michael de Boer · ‎03-07-2024

Hi @CoryJ,

Are the message keys for both events the same?
This is used to relate the different event to the same alert.

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

CoryJ · ‎03-07-2024

Hey @Michael de Boer - yep message keys are the same, and changing the resolution state to New or Clear works to update the status on existing alerts.

Sometimes we will get an OK without a prior matching Critical, which is the root cause of this issue. We're attempting to fix those sources, but I was thinking there may be a solution on the SN side.