How to set a rule that aggregates multiple alerts into a single incident

Mamina
Mega Contributor

‎05-18-2020 07:33 PM

Hi all,

I want to set a rule that aggregates multiple alerts into a single incident. I feel that the following settings are different from the correlation rules, but I would like to know the setting method.There are two rules I want to set,

rule1,
When 15 or more alerts are detected from 1 minute in one monitoring server (or MIDServer), they are all aggregated into one incident. In that case, the type of CI or alarm content does not matter.

rule2.
When 2 or more alarms are detected from the same CI in 4 minutes, they are aggregated into 1 incident. In that case, the content of the alarm does not matter.

If anyone knows, please let me know.

Best Regards,
Mamina

 

Labels:
0 Helpfuls
  • 1,648 Views
5 REPLIES 5

Rahul Priyadars
Giga Sage
Giga Sage

‎05-18-2020 11:17 PM

Hi 

Rule 1: Du have any pattern or qualification for those incoming alerts irrespective of CIs or Content. 

You can use Rule based Alert Correlation to Correlate alerts -Rule Based and No Relationships , Make 1 Primary and Other Secondary- Create Incident for Primary Alert Using Alert Rules.

Rule 2 : Concept will be same but you can use Rule Based Alert Corelation -Rule Based and Same CI.

Make 1 Primary and Other Secondary- Create Incident for Primary Alert Using Alert Rules.

Please refer the below articles for both of your scenario and refer Screenshots.

https://community.servicenow.com/community?id=community_article&sys_id=bd7ff7b4db2cd05013b5fb2439961...

 

Alert Action Rule which will only Spawn 1 Incident corresponding to Primary Alert Use Filter like this-

find_real_file.png

Regards

RP

 

Preview file
27 KB

Mamina
Mega Contributor
In response to Rahul Priyadars

‎05-24-2020 11:00 PM

Hi Rahul Priyadarshy,

Thank you for introducing your answers and reference articles.I understand that what I want to do can be achieved with correlation rules and alert rules.If possible, I would also like to know how to set the correlation rules.In the reference article you introduced, I think that alerts are aggregated using the CI type "win server" as a keyword. If you want to set the condition "aggregate alerts generated for each CI regardless of CI and alert contents", what kind of conditions should be set for Primary and Secondary? I am sorry for the elementary question, but I would appreciate it if you could answer it.

Regards,

Mamina

0 Helpfuls

Mamina
Mega Contributor

‎05-19-2020 09:50 PM

Hi Rahul Priyadarshy,

Thank you for introducing your answers and reference articles.I understand that what I want to do can be achieved with correlation rules and alert rules.If possible, I would also like to know how to set the correlation rules.In the reference article you introduced, I think that alerts are aggregated using the CI type "win server" as a keyword. If you want to set the condition "aggregate alerts generated for each CI regardless of CI and alert contents", what kind of conditions should be set for Primary and Secondary? I am sorry for the elementary question, but I would appreciate it if you could answer it.

Regards,

Mamina

0 Helpfuls

Rahul Priyadars
Giga Sage
Giga Sage

‎05-25-2020 11:14 PM

Hi Mamina,

First i need to see those exact events content . Then i can try to see the pattern for the rule.

Regards

RP