Hello Everyone😊,


I had a scenario where if I receive 10 alerts with the same problem (router) and alarm type (down) within one minute, but from different devices, then it should create one group alert and only one incident for the primary alert in that group.

To achieve this, I used the Tag Based Alert Clustering Definitions available in ServiceNow. I created a tag and added all the required conditions. However, in this rule, there is no field or filter to add the alert count. Once the tag-based definition is created and saved, an Alert Correlation Rules rule is automatically created with a script. But this script also does not have any block for alert count.

So, I manually added an alert count block, with the condition that if the alert count is more than 10, a group should be created. Since the script is not editable, I copied the script, modified it, and used SN Utils to inject my version.

After testing, I found that the group was being created even for just 2 alerts. I raised a high-priority case and got the reply that in ServiceNow, if you edit and add your own version of the automated script, it will not be considered, and that is why it behaved like this.

Now, I want to know: How can I correctly achieve this requirement, or is there another way to implement it?