How to dynamically change the severity of an alert

aengelsher · ‎01-30-2020

We would like to be able to dynamically change the severity of an alert. Scenario is we have an event that starts off resulting in a Warning level alert. Typically for this application that is not an immediately actionable alert. If however the application logs additional events and the overall event count for the alert now goes to 5 or more, we would want the alert to become Critical for immediate review by support teams.

Can we achieve this through Alert Management Rules and Remediation Subflows?

Here is an example of a test that I ran:

Generate a Warning event that results in an alert. text = "My shorts are on fire"
create an Alert Management rule
- Order #1 and stop search for additional rules
- filter Description contains shorts AND Overall event count is 5
- run on match filter conditions
- create Subflow that sets Severity of alert to Critical and annotates with Work note set to execute "Both"
Generate additional events until Overall event count is 5
Expectation is that rule would increase severity automatically at this point, but it is not doing so
Using "Quick Response" button, manually run the remediation and Severity is changed to critical and work note is inserted as expected.

TIA

Al

robertgeen · ‎01-30-2020

Honestly there are a few ways you could do this. In your case of what you gave as a sample of what you would do I wouldn't even have that manual I would just have that alert management rule be an automated one. However I will warn you what you are trying to do here shouldn't be done in ServiceNow it should be done at the monitoring endpoint. The monitoring tool itself should increment it to Critical when it sees it being at that level for x amount of minutes or polls.

Either way if you really want to do it in ServiceNow then either do an alert management rule or put something in the PostBind scripts to up the severity.