Rule Based Alert Correlation

Powshika B · ‎07-25-2023

Hi,

Requirement: If there is any open existing alert with the same values, make existing alert as primary and the current alert as secondary. similarly, If the existing alert is closed, the existing alert should reopen and so the incident if another alert comes in with the same values.

In my case the existing alert is reopening but instead of reopening the existing incident, it is creating new incident. Why is it working so?

SCRIPT:

(function findCorrelatedAlerts(currentAlert) {

var result = {};

// Define the fields for comparison from the new alert record

var newNode = current.node;

var newCI = current.cmdb_ci.sys_id;

var newSourceInstance = current.event_class;

// Query to find existing alerts with the same node, CI, source instance, and state not equal to 'closed'

var existingAlert = new GlideRecord('em_alert');

existingAlert.addQuery('node', newNode);

existingAlert.addQuery('cmdb_ci.sys_id', newCI);

existingAlert.addQuery('event_class', newSourceInstance);

existingAlert.addQuery('description', 'CONTAINS', newNode);

existingAlert.addQuery('correlation_rule_group', 'IN', '0,1');

existingAlert.addQuery('state', '!=', 'closed');

existingAlert.query();

if (existingAlert.next()) {

// If an open alert with the same values is found, correlate it as a primary alert

result = {

'PRIMARY': [existingAlert.getUniqueValue()],

'SECONDARY': [currentAlert.sys_id]

};

} else {

// If no open alerts with the same values are found, check for closed alerts within the last 4 hours

var closedAlert = new GlideRecord('em_alert');

closedAlert.addQuery('node', newNode);

closedAlert.addQuery('cmdb_ci.sys_id', newCI);

closedAlert.addQuery('event_class', newSourceInstance);

closedAlert.addQuery('description', 'CONTAINS', newNode);

closedAlert.addQuery('state', 'closed');

closedAlert.addNotNullQuery('incident');

closedAlert.addQuery('sys_updated_on', '>', gs.hoursAgo(4)); // Check within the last 4 hours

closedAlert.orderByDesc('sys_updated_on'); // Order by most recent updated time

closedAlert.query();

if (closedAlert.next()) {

// If a closed alert within the last 4 hours is found, reopen it and correlate it as a primary alert

closedAlert.state = 'Reopen';

closedAlert.update();

result = {

'PRIMARY': [closedAlert.getUniqueValue()],

'SECONDARY': [currentAlert.sys_id]

};

} else {

// If no matching alerts are found, set the current alert as the primary alert

result = {

'PRIMARY': [currentAlert.sys_id],

'SECONDARY': []

};

}

return JSON.stringify(result);

})(currentAlert);

pratiksha5 · ‎07-26-2023

How are the incidents getting created via the alert management rule? Update the flow to say if there is an incident on the same CI in the last some hrs then update the incident if not found then create it.

Powshika B · ‎07-26-2023

Hi @pratiksha5, Thanks for the reply but my requirement is to check those values in the alert level itself and correlate those alerts

Powshika B · ‎08-01-2023

Hi @Rahul Priyadars , For rule based alert correlation, The above mentioned script is correlating alert only when I create alert manually but it is not correlating when I generate alert from event automatically. Why is it working so.

Kindly, Let me know if you have any ideas?

Rahul Priyadars · ‎08-01-2023

do u have any filter condition in alert correlation rule which is stopping from trigerring?

please check the data comin from Monitoring Source and Compare ur manual data.

Regards

RP