Is there a way to delay the creation of an incident ticket
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 06:34 AM
We currently have a number of monitoring tools feeding into SN (PRTG, Dynatrace ...). We are looking for a way to delay the creation of an alert ticket for xx amount of time to make sure that the monitoring tool does not send an all clear response. Example: PRTG throws an error because a CPU sensor detects a low memory situation. It throws an error that is then transmitted to SN. We have an alert rule monitoring for that situation which would create a ticket. In the meantime the low memory situation resolves itself and PRTG throws an all clear message to SN, thus making the incident moot. If we could delay ITOM from creating the ticket for say a minute, the all clear would be there and thus eliminating the need to create the ticket.
Thanks for the help
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 06:45 AM
You can do this by following this process (roughly)
- Create an event using the event registry
- When the tool send you a notification trigger the event using gs.eventQueueScheduled method (Read more here)
- Create a Script action that creates the incident using the passed info inside the event (Read how to pass more than two parameters here)
- If the tool sends the ALL CLEAR before the delayed event fires go into the event log, find the event waiting to fire and delete it so it never runs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 06:52 AM
If all low memory events are resolved automatically, I'd suggest to make an Event Rule with matching conditions for a low memory event and check "Ignore events that match this filter".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 08:09 AM
So the best way to do this is in the flow designer flow you trigger to create the incident add a wait timer to wait 1 minute. After that have it do a check if it's closed and if it is do nothing otherwise create the incident normally. You can also have this specific flow only trigger for certain types of alerts if need be by using the filter in the alert management rule.
1 note adding a time delay in the alert management rule filter WILL NOT work for this because the back-end scheduled job that triggers them only runs on things that have been updated since the last time it worked. Thus if you say only if the alert created date is more then 1 minute ago it won't trigger until an update happens on that record itself (as it won't be seen by the time filter on the scheduled job). Thus the best way to do this is through the flow designer timer wait.
1 other thing to note if your system for some reason gets backlogged that "wait" timer may actually be longer then 1 minute so keep that in mind if it's a system critical message (since the wait timer actually fires an event in the back-end for 1 minute later but it gets processed in a queue).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 10:57 AM
This looks like what we are looking for. One question that I have is where do you put the wait time in the wait command? I was playing around with it a little bit but didn't see where you enter the parameter
Thanis
