Is it possible to auto-close an Alert but then also auto-open an Incident using only an Alert Rule?

Go to solution
joelnbtx
Kilo Contributor

‎02-09-2017 02:32 PM

I have a use case where a customer only wants to work on incidents instead of both alerts and incidents.   They want the alert to close automatically.   The alert rule is already opening incidents by setting the 'Auto open' checkbox with type=Incident.     I was able to auto-close the alert by creating an overwrite template in the alert rule and setting the 'alert state' to closed. However, when i close the alert via the template, then the alert rule will not auto-open the incident.   So, it seems like I can either auto-close the alert or auto-open an Incident, but i can't do both using the templates.

Have I missed any Alert Rule functionality that would allow this use case?

Labels:
0 Helpfuls
  • 4,591 Views
1 ACCEPTED SOLUTION

Go to solution
Tony Branton
ServiceNow Employee
ServiceNow Employee

‎02-13-2017 06:39 PM

Rather than messing around with script includes, another approach would be to use a Remediation Task that would invoke a workflow.   The advantage of this approach is that you can control the order of execution.



Here are the high-level steps:



  • Create a workflow that uses the em_remediation_task table
  • Add a workflow Create Task (or Run Script) activity to create an Incident.   Although you can use a Task Template in a Create Task activity, you'll likely need to use a script to populate some of the Task fields (e.g. Alert Description -> Incident Short Description)
  • Add a workflow Set Value activity to change the Alert State field to Closed (use the Alert related fields)
  • Using the existing Alert Rule, clear the Overwrite alert template field and uncheck the Auto-open checkbox on the Actions tab.
  • In the Remediation tab, check the Enable remediation checkbox, set Execution to Automatic and and select the Orchestration workflow you created.


Hope this helps with your use case.


View solution in original post

9 REPLIES 9

Go to solution
ellenxiang
Kilo Contributor
In response to Tony Branton

‎01-24-2018 07:36 PM

Thank you for your information. Alert is successfully closed by Alert Action rule after adjusting the order.


0 Helpfuls

Go to solution
Dave Smith1
ServiceNow Employee
ServiceNow Employee

‎02-12-2017 11:24 AM

Yes, it is possible - Dan has outlined the steps required there.



However, the use case doesn't fully stand up to scrutiny: the customer is treating every alert as an incident, when it may not be.



I agree that an incident is a specific type of alert. However, an alert doesn't necessary translate to an incident.   The danger here is that low-priority alerts could be promoted to incidents, so those working the service desk could become inundated with many incident records, with the important incidents being hidden in a sea of "promoted alerts".



From what you describe, it seems alerts aren't necessary - the customer wishes the incoming event to raise an incident. So.. have you discussed with the customer deeper reasons behind this? Do they understand what they're letting themselves in for?


0 Helpfuls

Go to solution
joelnbtx
Kilo Contributor
In response to Dave Smith1

‎02-13-2017 11:43 AM

David, this internal customer is deviating from the approach we taken with our other customers.   I've tried guiding them to embrace the standard alert and incident process.   Unfortunately, I'm running up against legacy processes, silos that are resistant to change, and a retiring technology time crunch.   My strategy is to get them on-boarded into the EM platform and then get them to adopt the best practices.


0 Helpfuls

Go to solution
Tony Branton
ServiceNow Employee
ServiceNow Employee

‎02-13-2017 06:39 PM

Rather than messing around with script includes, another approach would be to use a Remediation Task that would invoke a workflow.   The advantage of this approach is that you can control the order of execution.



Here are the high-level steps:



  • Create a workflow that uses the em_remediation_task table
  • Add a workflow Create Task (or Run Script) activity to create an Incident.   Although you can use a Task Template in a Create Task activity, you'll likely need to use a script to populate some of the Task fields (e.g. Alert Description -> Incident Short Description)
  • Add a workflow Set Value activity to change the Alert State field to Closed (use the Alert related fields)
  • Using the existing Alert Rule, clear the Overwrite alert template field and uncheck the Auto-open checkbox on the Actions tab.
  • In the Remediation tab, check the Enable remediation checkbox, set Execution to Automatic and and select the Orchestration workflow you created.


Hope this helps with your use case.


Go to solution
joelnbtx
Kilo Contributor
In response to Tony Branton

‎02-15-2017 08:59 AM

I think this is the approach we'll take.   I am still disappointed that the opening of the incident is dependent on the alert state being open.   However, this allows us to selectively apply the solution to the few areas that only want incidents.   It also uses the standard objects without requiring updates to any script includes.


0 Helpfuls