Incident creation based on alert aggregation groups

Go to solution
Sai Subrahmanya
Kilo Contributor

‎06-05-2020 03:34 AM


Hello Everyone,

Recently while I was working on Alert/Incident storm reduction problem, I came across this Alert aggregation and RCA groups. I have implemented this currently. But there is a issue that I'm currently facing, while using alert aggregation grouping Snow is creating different alerts under Automation and CMDB Group names. Now when I see these groups the incidents are being generated for Secondary alerts instead of Primary or Automation or CMDB type, this is only reducing noise in alerts but not helping incidents. My main goal is to reduce the storm of incidents, Can anyone help me with Making Primary or Automation or CMDB group type Alert generate incident and make Secondary alerts not to generate any incidents. Which means just one incident per group.

Thanks in advance,

J. Sai Subrahmanyam

0 Helpfuls
  • 2,316 Views
1 ACCEPTED SOLUTION

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎06-06-2020 04:16 AM

Hi,

There is already and flow and management rule which will create alert only for primary and not for secondary.:

Name:"Create Incident for Primary Alert"

find_real_file.png

 

There is one more event management rule for all alerts called as "Create Incident" Which will be active in your case. So you need to deactivate that and active first one.

Thanks,
Ashutosh

View solution in original post

Preview file
110 KB
7 REPLIES 7

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to Sai Subrahmanya

‎06-08-2020 10:10 AM

HI,

We are using this from past. Can you please show your alert and rule?


Thanks,
Ashutosh

0 Helpfuls

Go to solution
christianmalone
ServiceNow Employee
ServiceNow Employee

‎06-08-2020 09:06 AM

See the attached lab as to one way to filter the alert management actions to not trigger on secondary alerts...

Preview file
1677 KB
0 Helpfuls

Go to solution
Sai Subrahmanya
Kilo Contributor

‎06-09-2020 10:04 PM

Hi,

Thank you! guys. There was a Alert action Rule defined separately, because of which the incidents for secondary alerts are being generated. I think it should work once we change that rule. Any how thank you vary much. 🙂

And one more thing, as this thing is done now my next goal is to work on automated RCA. Please help me if you have any idea about this. I tried enabling RCA property in Alert aggregation and RCA Properties, but I could not see any RCA's yet in Alert intelligence page. Please let me know if you guys have any idea regarding this.

 

Thanks and Regards,

J. Sai Subrahmanyam

0 Helpfuls