Nagios to Service-Now - Creating alerts using inbound actions

ahmedhussain1
Kilo Contributor

Hi,

I am looking at creating incidents using inbound actions on Nagios Alerts. I have done this by using the service-now email in Nagios alerts.

I am struggling with the inbound actions to make this do different actions for different types of alerts, I am looking at setting Critical Alerts to active and Warnings to resolved with all the relevant fields completed.

I have the code below for Critical / Warning Alerts:

//Note: current.opened_by is already set to the first UserID that matches the From: email address

current.caller_id = gs.getUserID();

current.comments = "received from: " + email.origemail + "\n\n" + email.body_text;

current.short_description = email.subject;

current.category = "Alert";

Current.State = "Resolved";

current.caller = "Nagios Alert";

current.AffectedUser = "Nagios Alert";

Current.SubCategory = "Other";

current.incident_state = 4;

current.notify = 4;

current.contact_type = "email";

if (email.body.assign != undefined)

current.assigned_to = email.body.assign;

if(email.importance != undefined)

if (email.importance == "CRITICAL", "WARNING")
current.priority = 4;

if (email.body.priority != undefined)

current.priority = email.body.priority;

current.insert();

If someone can help with the coding this would be a great help.

Thanks.

1 ACCEPTED SOLUTION

Hi Ahmed,



This is tested in my instance:


current.caller_id = gs.getUserID();


current.comments = "received from: " + email.origemail + "\n\n" + email.body_text;


current.short_description = email.subject;



if (email.subject.assign != undefined)


  current.assigned_to = email.body.assign;


if (email.subject.toString().toLowerCase().indexOf('critical') > -1){


  gs.log('this is a critical message'); // you can remove this line


  insertCritical();


}


else if (email.subject.toString().toLowerCase().indexOf('warning') > -1 ){


  gs.log('this is a warning message'); // you can remove this line


  insertWarning();


}


else if (email.subject.toString().indexOf('recovered')){


  current.state ="stop_processing";


}



function insertCritical() {


  current.opened_by = 'default.user';


  current.short_description = email.subject;// + ' from: ' + email.origemail;


  current.contact_type = 'email';


  current.state = 1; //new


  current.assignment_group = '4c2bdb770f3e0a0030691b2be1050e38'; //some AG. Change it to suit your needs


  current.description = "[Received email from: " + email.origemail + "]\n\n" + email.body_text;


  current.insert();


}


function insertWarning() {


  current.opened_by = 'default.user';


  current.short_description = email.subject;// + ' from: ' + email.origemail;


  current.contact_type = 'email';


  current.state = 6; //resolved


  current.assignment_group = '4c2bdb770f3e0a0030691b2be1050e38'; //some AG. Change it to suit your needs


  current.description = "[Received email from: " + email.origemail + "]\n\n" + email.body_text;


  current.insert();


}



In the function part - you can remove my entries and put whatever you want the incident to show.


I did not put any function under recovered. Make your own function if needed.



Harel


Please mark as correct or helpful based on impact


View solution in original post

12 REPLIES 12

try adding: > -1   to the statements, as in:


if (email.subject.toString().toLowerCase().indexOf ('CRITICAL') > -1 ){


which I believe means "contains".



harel


Please mark as correct or helpful based on impact


Hi Harel,




I have used the code as explained by yourself, this is setting all the created incidents to resolved?




Thanks.




Ahmed.


Even those coming in with Critical in their subject line? Can you give an example of such subject line?


For instance, I have the following in one of my inbound actions, which works:


if (email.subject.indexOf("A new hire request") == 0) { which means that this is the exact subject



By the way, can you make sure that the incident is not opened as desired and then automatically resolves with a BR or something?



harel


Yes, even the ones with Critical are autoclosing.




MSSQL Query - SQL Jobs Check is CRITICAL - that is the subject line for Critical




Drive F: Disk Usage is WARNING - that is subject line for Warning



Drive F: Disk Usage is Recovered - that is the subject line for Recovered - These should not be generating but these are still showing.



No, the auto close feature has been disabled.



Kind Regards


ashwinkumar_pat
Giga Expert

Hi Ahmed



You should consider using event management tool. It's not a good practice to integrate monit tool directly with ServiceNow.



How many alerts are generated per day?



PS: I don't sell any event management tools 🙂