@Mark Manders Thankyou for your response, what i want to ask is the time duration defined in which the events do not get tagged to an existing alert but creates a new alert. 

evt_mgmt.active_interval is the property that sets "Active interval (in seconds), within which a new event reopens a closed alert ". So after that number of seconds, a new alert is created. Within it, a closed alert is reopened. 

Hi @Pranita Bahugun ,

To answer your question regarding the system property that defines the time for creating a new alert and its default value, here’s the detailed response:

1. System Property for Creating a New Alert

The system property that determines when a new event will create a new alert rather than reopening an existing one is evt_mgmt.active_interval.

• This property defines the time interval (in seconds) during which the system will reopen an existing alert if a new event matches the same message key. If the event is generated after this time interval, a new alert will be created instead of reopening the existing one.

2. Default Value of evt_mgmt.active_interval

• The default value of the evt_mgmt.active_interval property is 14,400 seconds, which is equivalent to 4 hours.
  • This means that if a new event occurs within 4 hours of the last closed alert with the same message key, the existing alert will be reopened. If the event happens after this period, a new alert will be created.

How the Alert Reopening Process Works:

• If a new event matches a previously closed alert within the defined active interval, the system will reopen the alert instead of creating a new one.
• The reopening of alerts also impacts the associated incidents:
  • If the incident related to the alert is still open, the system adds a work note to indicate the alert has been reopened.
  • If the incident is resolved or closed, the behavior depends on the evt_mgmt.alert_reopens_incident property. This could either reopen the existing incident, create a new incident, or leave the incident unchanged.

Best Practices for Configuring Alert Behavior:

• Adjust evt_mgmt.active_interval based on how long you wish to allow for an alert to be reopened. If you require a larger window for reopening alerts (such as 8 or 12 hours), you can increase this value accordingly.
• Review evt_mgmt.alert_reopens_incident to decide if reopening an alert should trigger reopening an existing incident or creating a new one.

Supporting Knowledge Articles:

For further reference, here are the Knowledge Base articles that provide more context and configuration details:

1. Alert Reopening and Active Interval:

   • https://support.servicenow.com/kb?id=kb_article_view&sys_id=KB0756521
     This article explains how alerts are processed in various states, and how the evt_mgmt.active_interval property works for reopening alerts.

2. System Properties for Event Management:

   • https://support.servicenow.com/kb?id=kb_article_view&sys_id=KB1525116
     This article discusses various system properties related to Event Management, including evt_mgmt.active_interval and its impact on alert handling.

3. Alert Insight Configuration:

   • https://support.servicenow.com/kb?id=kb_article_view&sys_id=KB1525142
     This article provides information on configuring Alert Insight, which can help you fine-tune how alerts and related events are processed.

4. Event Management Overview:

   • https://support.servicenow.com/kb?id=kb_article_view&sys_id=KB0783643
     This article provides best practices for Event Management, including details on alert creation and how events trigger new alerts.

If you believe the solution provided has adequately addressed your query, could you please **mark it as 'Helpful'** and **'Accept it as a Solution'**? This will help other community members who might have the same question find the answer more easily.

Thank you for your consideration.

Selva Arun