event mgt

AnimeshP_96 · 3 weeks ago

requirement is if 3 alerts is created in servicenow , first should be parent and rest 2 will be child ,and i dont want to use primary and secondary , also source and sevrity is handled in configuration
i want to group them all together first should be parent and rest 2 child use alert grouping.

(function findCorrelatedAlerts(currentAlert) {

var result = {};

var table = "em_alert";

//var cnt;

var storeID = [];

//var childalerts = [];

var parent = [];

var alertGr = new GlideRecord(table);

alertGr.addNullQuery("parent");

alertGr.orderBy("sys_created_on");

alertGr.setLimit(3);

alertGr.query();

while (alertGr.next()) {

gs.info("this is li3ne 13 from me");

storeID.push(alertGr.getUniqueValue());

}

if (storeID.length === 3) {

gs.info("this is2222229833 ");

parent = currentAlert.sys_id;

}

gs.info("this is2379863 " + parent);

result = {

'parent': [String(currentAlert.sys_id)]

};

return JSON.stringify(result);

})(currentAlert);

pls can someone help me where i am going wrong..

in the below picture it is creating a new alert instead of making 607 as parent

Please accept the solution /mark this response as correct or helpful if it assisted you with your question.

Regards,
Animesh

AnimeshP_96 · 3 weeks ago

as of now just grouping of alerts i am doing lets say 3 events or alerts are created in the system from postman or rest api explorer as ALARM POST HTTP , the rule should group based on same ci node , source , severity and state is not closed. @Kieran Anson

Please accept the solution /mark this response as correct or helpful if it assisted you with your question.

Regards,
Animesh

View solution in original post

Kieran Anson · 3 weeks ago

Hi,

Your correlation rule doesn't currently filter on the em_alert table fully, so it won't necessarily capture the records you're wanting. Do the secondary alerts you have identified have some commonality with the primary? e.g does the additional_info field contain a key:value that could be used to identify the other alert records?

AnimeshP_96 · 3 weeks ago

actually i am new to this event mgt alert rules, this is expected as working, as of now alerts should not group if there are more than 4 records and also it is taking others rule , my rule is not working...

so i am not sure why other rule is taking precedence, it should show my rule in activities in worknotes shown above

as of now i am not using primary and secondary just alert grouping, if there are incoming 3 alerts group them, else don't group them, also my rule should show the name of it in activities worknotes but now it is taking some other rule which is matching

Please accept the solution /mark this response as correct or helpful if it assisted you with your question.

Regards,
Animesh

Kieran Anson · 3 weeks ago

Hi,

When you say 3 alerts, in alert management you would need to be more specific, is it 3 events within a certain amount of time, is there some sort of relationship between the 3 events that can be used to group them? Such as the CI, the event ID, a parameter passed in the event payload?

AnimeshP_96 · 3 weeks ago

as of now just grouping of alerts i am doing lets say 3 events or alerts are created in the system from postman or rest api explorer as ALARM POST HTTP , the rule should group based on same ci node , source , severity and state is not closed. @Kieran Anson

Please accept the solution /mark this response as correct or helpful if it assisted you with your question.

Regards,
Animesh