Multiple Incidents are created for the same events

mirza_saquib
Tera Contributor

Hi 

Problem Statement:  Multiple incidents are created for the same issue (Disk Warning Usage) through windows cluster; instaed of creating one incident from the cluster they are creating the incidents from all the servers.

What is happening in the System: 

When the events are triggering with different message key(source + node (changing every time)) they create an alert and same type of alert group together .

primary Alert is not creating the incidents but the secondary alerts are creating, because the property is not enable and we can not enable the property in which Primary alert create the incident because it is global.

So is there any way to stop creating the incidents on secondary alert for the "Disk Warning" only

3 REPLIES 3

AJ-TechTrek
Giga Sage
Giga Sage

Hi @mirza_saquib ,

 

You need to control the using the Alert Management rule for incident creation and I recommend you to look into predictive intelligence for incident.

 

The rule in my example is configured like this:

AjayKumar011_0-1710166621877.png

 

 

The primary is basically the root cause, and the primary are the effected alerts. Another example: "Printer offline" is the primary, and "Print job failed" is secondary. The print job failed events are generated because of the printer offline (root cause).

 

Refer the Event Correlation.

 

https://www.servicenow.com/community/montreal-snug/servicenow-incident-reduction-via-event-correlati...

 

https://www.servicenow.com/community/itom-blog/alert-correlation-advanced-processing-example/ba-p/22...

 

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

 

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

ServiceNow Community Rising Star 2024

AJ-TechTrek
Giga Sage
Giga Sage

Hi @mirza_saquib ,

 

You need to control the using the Alert Management rule for incident creation and I recommend you to look into predictive intelligence for incident.

 

The rule in my example is configured like this:

AjayKumar011_0-1710166621877.png

 

 

The primary is basically the root cause, and the primary are the effected alerts. Another example: "Printer offline" is the primary, and "Print job failed" is secondary. The print job failed events are generated because of the printer offline (root cause).

 

Refer the Event Correlation.

 

https://www.servicenow.com/community/montreal-snug/servicenow-incident-reduction-via-event-correlati...

 

https://www.servicenow.com/community/itom-blog/alert-correlation-advanced-processing-example/ba-p/22...

 

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

 

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

ServiceNow Community Rising Star 2024

Anand Mahagaon
Tera Contributor

Add the filter condition on the alert rules, as the message key are different it will try to create an new alert [intern post BR it will added to Primary Alert] which interns create an new incident.

 

All these can be handle @alert rules and flow designer as well.