There is no matching event rule but an alert is created. Why??

Binglin Huang
Tera Expert

I am creating event rule to create alert on certain condition. During the test, my test "OK" event got an alert created (see the screenshot) but when I pressed the "Check Processing of event" UI link at the bottom. It shows "Could not find any rules that match the event". 

My question is, how was the the alert created at the first place? What created it if it is not by a event rule? 

Besides, I don't want this "OK" event to create an alert. How do I stop it?

 

find_real_file.png

 

 

1 ACCEPTED SOLUTION

Greg Hubbard1
Kilo Guru

Hi there,

ServiceNow will automatically create an alert using some default processing rules if there is no matching event rule.  There are exceptions -- if the incoming event does not have a usable severity value then alert creation will fail.

One way to demonstrate this to your self is to create a new event using some "dummy" values for various fields.  Go to Event Management > All Events and click on [New] to create a new event.  Fill out the form like this:

  • Source: test
  • Node: <anything you want>
  • Type: type
  • Resource: resource
  • Metric Name: metric
  • Source instance: test
  • Message key: (leave blank)
  • Severity: <choose any value but Clear>
  • Resolution state: New
  • Time of event: <should default to current time>
  • State: <should default to Ready>
  • Alert: <leave blank>
  • Description: <enter something like "test event">
  • Additional information: (leave blank)

Then submit.  Wait a bit, and an alert should be created.  Take a look at the message key that ServiceNow generates for you -- this can be useful information later.

How can you prevent this?

One possible approach is to create a "catchall" event rule (one per source) and set up what you want for defaults.  For instance, you could check the box for "Ignore events that match this filter" on the Event Filter tab, or you could set the severity to a bad value on the Transform and Compose Alert Output tab.

Note that if you create a catch-all rule like this you will "break" the rule suggestion system, so you might not want to use it on your dev system.

if you want to stop "OK" events, you can write a rule that matches your source and severity value of 5 and set the "ignore" flag I mentioned above.

I hope this helps you!

Greg Hubbard

View solution in original post

2 REPLIES 2

Greg Hubbard1
Kilo Guru

Hi there,

ServiceNow will automatically create an alert using some default processing rules if there is no matching event rule.  There are exceptions -- if the incoming event does not have a usable severity value then alert creation will fail.

One way to demonstrate this to your self is to create a new event using some "dummy" values for various fields.  Go to Event Management > All Events and click on [New] to create a new event.  Fill out the form like this:

  • Source: test
  • Node: <anything you want>
  • Type: type
  • Resource: resource
  • Metric Name: metric
  • Source instance: test
  • Message key: (leave blank)
  • Severity: <choose any value but Clear>
  • Resolution state: New
  • Time of event: <should default to current time>
  • State: <should default to Ready>
  • Alert: <leave blank>
  • Description: <enter something like "test event">
  • Additional information: (leave blank)

Then submit.  Wait a bit, and an alert should be created.  Take a look at the message key that ServiceNow generates for you -- this can be useful information later.

How can you prevent this?

One possible approach is to create a "catchall" event rule (one per source) and set up what you want for defaults.  For instance, you could check the box for "Ignore events that match this filter" on the Event Filter tab, or you could set the severity to a bad value on the Transform and Compose Alert Output tab.

Note that if you create a catch-all rule like this you will "break" the rule suggestion system, so you might not want to use it on your dev system.

if you want to stop "OK" events, you can write a rule that matches your source and severity value of 5 and set the "ignore" flag I mentioned above.

I hope this helps you!

Greg Hubbard

Binglin Huang
Tera Expert

Thanks of the detailed explanation. I can see an "Clear" event did not generate an alert. Since the events come in from email, I have control of what severity to set. I will use "Clear" state instead of "OK".