Rule Based Alert Correlation

Powshika B
Tera Contributor

Hi,

Requirement: If there is any open existing alert with the same values, make existing alert as primary and the current alert as secondary. similarly, If the existing alert is closed, the existing alert should reopen and so the incident if another alert comes in with the same values.

 

In my case the existing alert is reopening but instead of reopening the existing incident, it is creating new incident. Why is it working so?

 

SCRIPT:

(function findCorrelatedAlerts(currentAlert) {
    var result = {};
    // Define the fields for comparison from the new alert record
    var newNode = current.node;
    var newCI = current.cmdb_ci.sys_id;
    var newSourceInstance = current.event_class;
 
    // Query to find existing alerts with the same node, CI, source instance, and state not equal to 'closed'
    var existingAlert = new GlideRecord('em_alert');
    existingAlert.addQuery('node', newNode);
    existingAlert.addQuery('cmdb_ci.sys_id', newCI);
    existingAlert.addQuery('event_class', newSourceInstance);
    existingAlert.addQuery('description', 'CONTAINS', newNode);
    existingAlert.addQuery('correlation_rule_group', 'IN', '0,1');
    existingAlert.addQuery('state', '!=', 'closed');
    existingAlert.query();
 
    if (existingAlert.next()) {
        // If an open alert with the same values is found, correlate it as a primary alert
        result = {
            'PRIMARY': [existingAlert.getUniqueValue()],
            'SECONDARY': [currentAlert.sys_id]
        };
    } else {
        // If no open alerts with the same values are found, check for closed alerts within the last 4 hours
        var closedAlert = new GlideRecord('em_alert');
        closedAlert.addQuery('node', newNode);
        closedAlert.addQuery('cmdb_ci.sys_id', newCI);
        closedAlert.addQuery('event_class', newSourceInstance);
        closedAlert.addQuery('description', 'CONTAINS', newNode);
        closedAlert.addQuery('state', 'closed');
        closedAlert.addNotNullQuery('incident');
        closedAlert.addQuery('sys_updated_on', '>', gs.hoursAgo(4)); // Check within the last 4 hours
        closedAlert.orderByDesc('sys_updated_on'); // Order by most recent updated time
        closedAlert.query();
 
        if (closedAlert.next()) {
            // If a closed alert within the last 4 hours is found, reopen it and correlate it as a primary alert
            closedAlert.state = 'Reopen';
            closedAlert.update();
            result = {
                'PRIMARY': [closedAlert.getUniqueValue()],
                'SECONDARY': [currentAlert.sys_id]
            };
        } else {
            // If no matching alerts are found, set the current alert as the primary alert
            result = {
                'PRIMARY': [currentAlert.sys_id],
                'SECONDARY': []
            };
        }
    }
    return JSON.stringify(result);
})(currentAlert);
13 REPLIES 13

Do not write BR for any kind of Alert Correlation. Technically you can use Scripts .

Refer this sample Rule and try to edit as per ur needs.

 

RahulPriyadars_0-1695265492119.png

RahulPriyadars_1-1695265542744.png

 

Use Below KB for more debugging

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0829008

Regards

RP

 

Thank you @Rahul Priyadars Let me check.

Nosey
Tera Contributor

No where in your script do you make actions on the incident table - if your alert management rule doesn't have a flow to check for open incident and reopen it the incident will stay closed.

There is no OOTB relationship between and incident and em_alert all it should all be driven by the flow on the alert management rule

Powshika B
Tera Contributor

Hi @Nosey Yeah there is no OOTB relationship, we've created alert management rule to create incident.