I have a confusion about event rules and mapping rules creating alerts

Go to solution
DrewW
Mega Sage
Mega Sage

‎03-29-2023 01:23 PM

We have started using Event Management and its been a really long time for me and I'm getting the following and people are asking if it can be prevented and I cannot find anything that indicates I can change it.

 

We have an Event rule for solarwinds that should create an alert when a server is down.  We then created a mapping rule to map the fields.  The issue is that we keep seeing the following in the Processing Notes field.

 

No event rule applied
Mapping rule(s) applied: solarwinds-icon-severity

 

So an alert is being generated even when there is no rule that applies because there is a mapping rule.  How do I prevent these alerts from being generated?  If there is no event rule that applies I do not want an alert, even if the system thinks it should create one using the mapping rules.

 

Please and thanks....

Labels:
0 Helpfuls
  • 2,530 Views
1 ACCEPTED SOLUTION

Go to solution
Ryan Zulli
ServiceNow Employee
ServiceNow Employee
In response to DrewW

‎05-22-2023 10:59 AM

In this case, create a master event rule that ignores everything (set to a much lower priority) and then have your existing rules set higher (so they trigger first) - however just be aware you may "miss" events if you're not on top of keeping the event rules up to date.

View solution in original post

0 Helpfuls
13 REPLIES 13

Go to solution
Ryan Zulli
ServiceNow Employee
ServiceNow Employee
In response to DrewW

‎05-22-2023 10:59 AM

In this case, create a master event rule that ignores everything (set to a much lower priority) and then have your existing rules set higher (so they trigger first) - however just be aware you may "miss" events if you're not on top of keeping the event rules up to date.

0 Helpfuls

Go to solution
DrewW
Mega Sage
Mega Sage
In response to Ryan Zulli

‎05-22-2023 11:08 AM

An alert gets created and we see this

 

No event rule applied
Mapping rule(s) applied: solarwinds-icon-severity

 

So because there is a Mapping rule in the system it creates an alert and we want to keep the mapping rule but prevent it from creating an alert.  If we disable the mapping rule the system does not create an alert unless the event rule applies.

 

 

0 Helpfuls

Go to solution
Ryan Zulli
ServiceNow Employee
ServiceNow Employee
In response to DrewW

‎05-22-2023 11:30 AM

Unless you have the box checked "run after binding" the event should be ignored and no alert is created - I will also test this, if you have a screenshot of the field mapping, post it here.

 

Event Flow once an event comes in ::

  1. apply event rules
  2. apply event field mappings that are not marked as "run after binding"
  3. bind alert to CI
  4. apply event field mappings that are marked as "run after binding"
  5. run post transform scripts

0 Helpfuls

Go to solution
DrewW
Mega Sage
Mega Sage
In response to Ryan Zulli

‎05-22-2023 12:52 PM

This is the field mapping that was setup

DrewW_0-1684781497412.png

 

This is an example of an Alert that was created, you can see at the bottom of the work notes.

DrewW_1-1684782106182.png

 

 

0 Helpfuls

Go to solution
Ryan Zulli
ServiceNow Employee
ServiceNow Employee
In response to DrewW

‎05-22-2023 01:09 PM

And where is the event rule where you're ignoring this type of Event?

0 Helpfuls