Operational process question - Does your NOC watch the Alerts queue or Incidents queue?

dan_tembe
Tera Contributor

‎03-13-2018 06:30 AM

Hello Folks, 

FIrst off, Thanks to this community, I am learning a lot about ServiceNOW ITOM. It is certainly helping me transition my skills from other tools to understand the logic and similar logic in SNOW ITOM - more specifically the Event Management part. 

So far in our Dev, when I am testing ServiceNOW event management, using rules, I am able to reduce over 90% of the noise of events into alerts and about a similar % of reduction into Incidents.

I have created task templates to create Incidents based on alert severity or other matches. My biggest concern is that we might miss creating an incident on something and it will get unnoticed until escalated from the asset owner. As with any new tool in the environment, if we have significant misses in the beginning, we will not get complete adoption, so trying to make sure operationally we have the right process in place. 

This brought the question in my mind, in your operations (NOC) do your teams work from the alert console or incident queue?

is there a method that I should look into developing - such as review the alerts every hour but work from Incident queue? Or part of the team works from Incident queue and part reviews the the alert console?

Not sure there is one size fits all answer, but want to understand how others are operating so we can come up with something that will work for us. 

Thanks in advance for reading this and your valuable input. 

Dan

 

Labels:
  • 1,472 Views
6 REPLIES 6

dan_tembe
Tera Contributor
In response to robertgeen

‎03-15-2018 07:50 AM

Hello Robert, 

Thanks! Every day I am learning more. Kudos to folks like you who are taking time out of your busy schedule to provide input.

Once I got the concept of ServiceNOW Event handling at a high level (still a lot to learn), the functionality and tight integrations between the ITIL aligned Event to Incident workflow makes sense.

In my mind, when we have a manual alert to incident conversion or have to put eyes on an alert console to create an incident, it is a low value (ROI wise) work. Of Course, if we miss an SLA, because the rules didn't match it can be a massive impact to ROI. So a balancing act. 

We are getting there slowly, but lot of work to do. Lots of rules writing and tuning going on. 

All good stuff. 

Thanks!

Dan

 

 

0 Helpfuls

TV
ServiceNow Employee
ServiceNow Employee

‎03-15-2018 10:23 AM

There is no doubt about the efficiency you would gain by implementing the EM. As a practitioner, i would suggest to reverse the logic to avoid risk you highlighted. Let everything go as Incident and now filter out the noise at alert level.