Event Management - OK/Clear Events Generating New Alerts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2024 07:05 AM
Previously for incoming sources we had our Event Resolution State set to "Closing" in order to auto-close the alert on OK. We recently tried to update this to prevent the alert from auto-closing so that the incident resolution itself can close the alert.
It seems that our change now allows OK/Clear events to generate new alerts by themselves (why the source systems are sending OKs without a critical is still under investigation) ... where prior when set to "Closing" these events did not create alerts.
So the question is - how can we allow incoming OK events to update the status of an existing alert, but at the same time not create a new alert if it is the first event? It seems strange that ServiceNow creates the new alert, but I understand possibly for different use cases/etc.
What we've tried so far ...
Setting Event resolution_state to "New"
Setting Event resolution_state to "Clear" (found in some OOTB connector scripts)
I've dug all around and I can't find existing OOTB functionality to handle this scenario. Any insights?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2024 07:38 AM
Hi @CoryJ,
Are the message keys for both events the same?
This is used to relate the different event to the same alert.
Michael
Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2024 07:45 AM
Hey @Michael de Boer - yep message keys are the same, and changing the resolution state to New or Clear works to update the status on existing alerts.
Sometimes we will get an OK without a prior matching Critical, which is the root cause of this issue. We're attempting to fix those sources, but I was thinking there may be a solution on the SN side.