Hi @Tetsuya3 ,

In Short, Yes- your assumption is correct. A closed alert with the same message key will be reopened. If you want to apply a different correlation rule and group alerts differently, you’ll need to adjust the message key (often via event rule transformation) or enrich the event payload so it’s treated as a new alert.

Why This Happens
* Alert correlation in Event Management is based primarily on the Message Key.
* If a new event arrives with the same Message Key as an existing alert (even if it’s closed), ServiceNow reopens that alert instead of creating or grouping it into a new one.
* This is expected platform behavior → it prevents duplicate alerts for the same underlying issue.
That’s why in your scenario:
* You closed the original alert.
* A new event with the same Message Key came in.
* ServiceNow reopened the old alert instead of grouping it differently.

Options to Achieve Your Goal as per my understanding -
If you want the same resource to be grouped differently (via another correlation rule), you have a few approaches:

1. Use a Different Message Key
* Yes, you’re right: the most direct way is to change the message key if you want the platform to treat the alert as distinct from the original.
* Example: Append additional attributes (like correlation_type, or a unique identifier from the payload) to the message key.
* That way, ServiceNow won’t reopen the old alert, and the new correlation rule can apply.

2. Custom Correlation Rule Logic
* Instead of relying on the message key alone, you can build a correlation rule that also considers additional fields (e.g., severity, description, or custom fields).
* This way, the grouping can differ depending on context.

3. Leverage Event Rules (Pre-Processing)
* Before correlation, transform or enrich the event in an Event Rule to adjust the message key or add metadata (like “correlation scope”).
* This allows the same CI/event source to participate in different correlation groups without reopening the old alert.

4. There is a Event Management properties where OOB 14400 s is set for reopen the alert is if a same message key event is received , Check this.

4. Best Practice Approach
* Message key = unique technical fingerprint of the problem.
* If you expect different correlation behaviors for the same CI or metric, design multiple message key variations (e.g., CI+Metric, CI+Service+Location) depending on use case.

Suggested Solution
* If you want alerts to be regrouped differently after one has already closed → you must use a different message key (otherwise the alert will always reopen).
* Best practice is to define the message key carefully during event rule design, so that it uniquely represents the grouping you want, while still allowing "OK/clear" events to match properly.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025