How does the "Create Incident" event management subflow determine what CI to put in the Incident.

Zoro · ‎08-24-2022

In Event Management we are using the Create Incident OOB subflow to create Incidents. We have a strange issue where the actual CI in the alert was set to non-operational but somehow another CI was put into the Configuration Item field by this automation. That name of the CI that was used doesn't match the alert (SNMP). This is a strange CI that discovery is doing some strange updates too but before I try to figure out that mess, I need to know how I can find the script or whatever servicenow uses to pull in/find the CI in the alert/cmdb. From the Create Incident subflow I found that it uses AlertGR whatever that is. Where can I find where this is handled? From there I am hoping I can see why it picked this strange CI instead of the expected behavior which is to leave the field blank. Perhaps our implementation consultants did a customization to this that isn't documented. Thank you

Michael de Boer · ‎08-29-2022

The event has a field "Node". This is used to find the CI for the alert.

In the event rule there is a step/tab "Binding" and there is the following text:
Default binding: Value of Node field will be used to try and match CI name, FQDN, IP or MAC Address for Host CIs, such as Computer, OS, Switch Router (any CI type extending cmdb_ci_hardware)

The value of the field node can also be changed in the event rule.
If the event description contains the hostname for example, it's possible to extract the hostname and use that as value for the field node.

Regards,

Michael

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

View solution in original post

Michael de Boer · ‎08-25-2022

Just to be sure.
1. The Event has the correct CI?
2. The Alert had the correct CI?
3. The CI in the alert was changed to non-operational and another CI populated the CI field in the Alert?

Regards,

Michael

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

Zoro · ‎08-25-2022

1. The event had a name in it that corresponds to a CI in our system but that CI was set to non-operational.

2. The Alert had a different CI associated with it.

3. the Alert had the wrong CI. The event doesn't have a CI field I can see but the SNMP trap that came in has the name of the CI which is different than the CI servicenow assigned to it.

Is there any documentation explaining how the CI is determined from the SNMP trap text? It is matching on the name? Because the CI that was used has a different name.

Thanks

Michael de Boer · ‎08-29-2022

The event has a field "Node". This is used to find the CI for the alert.

In the event rule there is a step/tab "Binding" and there is the following text:
Default binding: Value of Node field will be used to try and match CI name, FQDN, IP or MAC Address for Host CIs, such as Computer, OS, Switch Router (any CI type extending cmdb_ci_hardware)

The value of the field node can also be changed in the event rule.
If the event description contains the hostname for example, it's possible to extract the hostname and use that as value for the field node.

Regards,

Michael

Regards,
Michael

Please mark the suggestion as helpful/like, if you find it useful to you or others who wants to refer similar content.
Please mark the solution as correct, if the answer provided has resolved your query.

Zoro · ‎08-31-2022

Thank you. Our Node field has the IP address. Now I can troubleshoot why we have duplicate IP addresses. 🙂