Event Rule Threshold Create Alert Operator Count
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2025 02:05 PM
What resets the thresholding for event rule to create new alert? I'm doing some testing in my lower environment, and I have an event rule setup for Count operator 2 occurs over 2100 seconds. When I manually closed an alert and then a new event came in, an Alert didn't attach until after the 2nd event came in. The initial threshold had already been met, and it hadn't been idle to trigger the close alert operator idle over 3900 seconds.
Time of events
1. 07-31-2025 10:09:13 - had Alert19114048 already attached
2. 07-31-2025 10:41:44 - attached Alert19114048
[Manually closed Alert19114048]
3. 07-31-2025 11:12:24 - didn't get Alert19114048
4. 07-31-2025 11:34:04 - attached Alert19114048 (and attached previous event to same alert)
Why would manually closing the alert do this, is there a business rule controlling this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 02:09 AM
Hi @laurSmith ,
As per my understanding What actually resets thresholding in Event Rules In ServiceNow Event Management
* Event Rules with “Count” (e.g., count ≥ 2 over X seconds) keep an internal counter per alert key (usually based on binding keys / CI + metric name etc.).
* This counter is reset when:
* The alert goes to Closed automatically (i.e., via alert close policy or event rule “Close alert if idle over Y seconds”).
* Or the threshold time window passes without new events (i.e., no matching event activity during the window → engine resets).
What happens if you manually close the alert?
* Manually closing the alert (e.g., via UI → Close Alert) does not reset the threshold counters on the Event Rule.
* The Event Rule engine keeps its current internal counter and state.
* So when new matching events come in:
* The system checks if enough new events occurred to meet the “count ≥ 2 over 2100 seconds” threshold again.
* Since only one new event comes in after manual close, the threshold isn't reached → no new alert.
* Only after the second new event arrives does the threshold get satisfied → new alert is created / previous alert is re-opened.
Why?
Because:
* The Event Rule engine’s state machine is not driven by alert lifecycle, but by event stream.
* Manual alert close is a user action → doesn’t reset the internal counters / buckets.
* The Event Rule still sees that the previous alert key is “active” until it observes the full close condition by idle timeout or policy.
Any Business Rule controlling this?
No direct business rule.
* The logic is mostly in the Correlation Engine (scripts like EvtMgmtAlertAction, EvtMgmtProcessor) and the Event Rule processing engine.
* Alert close policies (close if idle over 3900 seconds) are system-driven, not manually triggered.
How to handle / fix:
If you want new alerts to be created immediately after manually closing:
* Option 1: Wait until the “close alert if idle over” condition is met → system automatically closes, then new events can trigger new alert.
* Option 2: Change your Event Rule to:
* Not use count operator (instead, create alert immediately on new event).
* Or reduce the count/time threshold for test.
* Option 3: Use dedicated test alert keys or modify event rule for testing to ensure new alerts are triggered immediately.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
