Update the state of Alert based on Event Resolution State

HarshvardhanG · 4 weeks ago

Hi,

I’m looking to update the state of an alert based on changes to the event resolution state. Specifically, when the event resolution state is set to "Closing", I want the corresponding alert to reflect this change automatically.

Could anyone guide me on how to implement this?

HarshvardhanG · 3 weeks ago

Hi @Bhuvan ,

I’ve been unwell recently, so I couldn’t respond earlier. Regarding your solution I understand that when the event state is set to "Clear," the associated alert gets automatically closed, even if the resolution state of the event is still "New." However, my original question still stands.

Since I’m unable to share screenshots due to company restrictions, I’ll try to explain the issue in detail:

Problem:
Alerts are not getting closed automatically.

I’m receiving alerts from the SolarWinds Observability tool. In this setup, when an alert is closed, a notification is sent to ServiceNow, which then updates the event state from New to Resolved.
Note: The severity of the event does not change during this process.

My question is:
How can I configure the alert to close based on the resolution state of the event?
Or do I need to make changes related to the severity first?

Bhuvan · 2 weeks ago

@HarshvardhanG

Hope you are doing fine now.

You can either configure to send a PROBLEM event followed by CLEAR event from source. In this, PROBLEM event will create Alert and CLEAR event will close the Alert.

You can also send a PROBLEM event from source with resolution state 'New' which would created Alert followed by another event with resolution state 'Closing' and this would close the Alert.

For both these options, you need to make sure message key for both events are same and if message key field is empty, Source, Type, Node, Resource, and Metric Name fields are same for the events [PROBLEM + CLEAR] OR [NEW + CLOSING].

Below is a sample simulation for your scenario,

Event Created with resolution state 'New'

Event created in em_event table

Alert created in em_alert table

Event Created with resolution state 'Closing'

Event created in em_event table

Alert closed in em_alert table

Hope you appreciate the efforts to simulate this in PDI and provide you with detailed explanation. If this helped to guide you or answer your query, please mark my responses as helpful and accept the solution.

Thanks,

Bhuvan

HarshvardhanG · 2 weeks ago

Hey @Bhuvan , thanks a lot for taking the time to walk me through the whole process I really appreciate the effort and the way you explained everything step by step.

When I first raised the question, I honestly wasn’t sure how to approach it. But after going through the resources and knowledge you shared, I was able to understand things much better. From what I’ve seen and even from the references and screenshots you provided it seems like this auto-closure behavior is usually handled through event or alert rules. But in my case, something still feels off. I think some rules might be missing from my setup, but I’m not sure exactly what or where. Could you help me figure that out?

Bhuvan · 2 weeks ago

@HarshvardhanG

You can try to replicate the scenario in your PDI and share screenshots. If it does not work, please share XML payload & screenshots from PDI as it is needed to troubleshoot further.

If my posts helped to guide you or answer your queries, please mark it helpful & accept the solution. You can mark more than one response as accepted solution.

Thanks,

Bhuvan