Which is the property in Event Management which defines time to create new alert from events

Pranita Bahugun · ‎02-27-2025

Hello all,

Can anyone please let me know below queries:

1. What is the system property that defines the time for creating a new alert?

2. Also what's the default value set for that property in instance?

Any quick is much appreciated

Thanks in advance.

Best Regards,

Pranita Bahuguni

Community Alums · ‎02-27-2025

Hi @Pranita Bahugun ,

When new additional events are generated which on processing finds existing closed alert then the alert is reopened. An alert can be reopened manually.
Reopening of existing closed alert by new events is controlled by property "evt_mgmt.active_interval".
By default value of this property is 14400 sec. This means that if an alert is closed and a new event is generated within 4 hours which matches the same message key then the existing alert is reopened.
When an alert is reopened, the related incident is processed as follows:
- If the incident is not Resolved or Closed, a work note is added to indicate that the related alert was reopened.
- If the incident is Resolved or Closed, the incident is reopened, a new incident is created, or nothing is done, depending on the evt_mgmt.alert_reopens_incident property value.
  - If the incident is reopened, work notes are added to the incident.
  - If a new incident is created, any matching alert management rule, alert action rule, and task template apply to the incident.
  - If there is no matching alert rule or template, fields from the existing incident are copied to a new incident.
The business rule that gets executed post alert reopen is "Reopen associated closed incident"
This BR calls for script include "EvtMgmtAlertManagementAlertReopenHandler" which again invoke the Alert Management process to find the correct rule and perform the remediation action.

To Learn more in terms of Alerts processing in diffrent states and the whole flow : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0756521

Pranita Bahugun · ‎02-27-2025

@Community Alums , Thankyou for your response, can you also let me know what should be the best practice to set these properties? That would be of great help. Thanks!

Community Alums · ‎02-27-2025

Hi @Pranita Bahugun ,

Here you Goooo 😊

Use these properties to configure alert insight.

The role required: evt_mgmt_admin

The following alert_insight properties are under sys_properties.

Property	Usage
Time Frame
evt_mgmt.alert_insight_alert_history_min	Set the time frame (in minutes) to retrieve repeated and similar alert data. Default `43200` (30 days) Note: Alerts are retrieved regardless of their state (open / reopen / flapping / closed).
evt_mgmt.alert_insight_closed_alert_window	Set the time frame (in minutes) to retrieve alerts that were already closed. It is the time after the alert last updated date. Default: `4320` (3 days)
Similarity
evt_mgmt.alert_insight_alert_same_as_filter	This property is a comma-separated string that defines which of the alert fields is used to consider alerts to be similar. Default: `source,type,resource,metric_name`
Related CIs
evt_mgmt.alert_insight_related_cis_topology_levels The relationship types are: CMDB based (metadata rules and suggested relations) Within application services Within Alert groups	For ‘Within application service’ relationship type, this property sets the depth or the maximum level of relationship of retrieved CIs. Default: `3`
Score
evt_mgmt.alert_insight_group_mapping	This property sets the score for within alert group relations. Default: `2`
evt_mgmt.alert_insight_level_1_mapping	This property sets the score for level 1 relationship. Default: `3`
evt_mgmt.alert_insight_level_2_mapping	This property sets the score for level 2 relationship. Default: `2`
evt_mgmt.alert_insight_level_3_mapping	This property sets the score for level 3 relationship. Default: `1`
Maximum related tasks
evt_mgmt.alert_insight_max_tasks	Maximum related tasks to retrieve for alert insight. Default: `10`

Metadata rules consideration

The parent-child relationship of CIs is considered. Dependent relationship rules consist of hosting and containment rules, each type modeling the data from a different perspective of the CI.

To manage dependent relationship rules:

To access rules at the class level, use the CI Class Manager. Navigate to All > Configuration > CI Class Manager.
To access grouped rules, use the Metadata Editor. Navigate to All > Configuration > Identification/Reconciliation > Metadata Editor.

Containment rules represent configuration hierarchy of CIs, describing which CI contains which other CIs.

Hosting rules represent placement of CIs in a business definition, describing what CIs run on.

Modify the alert insight properties to configure the way alert information and analysis appears in the Alert Insight pane.

Related CIs configuration

The following properties control which CMDB relationships to consider for related CIs. The CMDB relationships include regular CMDB relation rules, metadata rules (containment rules and hosting rules), and suggested relations.

Property	Usage
evt_mgmt.related_cis_get_all_relation_types	Get all relation types, not including metadata rules. Default: `false`
evt_mgmt.related_cis_use_containment_rules	Use metadata containment rules. Default: `true`
evt_mgmt.related_cis_use_hosting_rules	Use metadata hosting rules. Default: `true`
evt_mgmt.related_cis_use_suggested_relations_rules	Use suggested relations rules. Default: `false`
evt_mgmt.related_cis_validate_relation_rules	This property controls whether to validate relation of CI according to metadata rules. Default: `true`

Score

Scores are configured per relation type or depth. Scores are accumulated. The higher the score, the more relevant is the related CI to the current CI.

Example:For a CI that was found at level 2 in the same application service of the current CI, the score is 2. The same CI is in the same alert group, so there is an extra score of 3. The accumulated score is therefore 2+3 = 5.