Issue with Alert Status Remaining 'Open' Despite Event Severity 'Ok' – ServiceNow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2025 10:41 AM
issue:
"The alert record remains in the 'Open' status even after the event is cleared, i.e., when a subsequent event with severity 'Ok' is received."
To provide better context, here are the detailed steps:
First Event:
An event was generated for node '123' with the message key 'xxx' and severity 'Minor'. As expected, this created both an alert and an incident based on the configured alert and event rules.Second Event:
Another event for the same node '123' with the same message key 'xxx' was received with severity 'Ok' (indicating that the issue was resolved).The existing alert was updated, as confirmed by the updated timestamp.
The associated incident was resolved.
However, the alert status remained 'Open'.
Impact:
Due to this behavior, when a third event with severity 'Minor' arrives for the same node and message key, the existing alert is not reopening as expected.
question?
why service now keep alert open when alert severity is ok what is the reason for it ?
for this what is the best practise :
1. to edit the schedule job which is the reason for the not closing alert when it ok severity
2. create one business rule /flow to close the alert when the alert severity is update as ok
3.or else what is best practice to do
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2025 01:21 PM
The solution we had for this was to create an event rule that set the resolution_state to "Closing". This is how the OOB "snmpV3.linkUp" event rule is configured and we used this approach based on this example.
