Alerts on the em_alert table auto closure

LivashanN
Tera Contributor

‎06-02-2025 06:49 AM

Good Day, 

 

I would just like to find out with regards to Event Management, we are using event management and by default we have noticed that when an alert closes it resolved the Incident which is working as it should, we have also noticed that if there is child alerts linked to a parent alert then once all child alerts are closed then the parent alert will also close, we also noticed that the Incident number relates to the Child alert.

 

Now with that in mind, what we are trying to achieve is that if the "assigned_to" field on the Incident is not empty that is linked to an alert, then the alert should not close as it means the Incident is still being worked on so it should abort the update.

 

We did add a piece of code in script include "EvtMgmtAutoCloseAlerts" being "

alertGr.addNullQuery('incident.assigned_to');" and did add a scheduled job to run for this but we noticed it was not working as it should, if we test by creating a business rule to look and abort those updates then it does work.
 
I would just like to know is the Business rule the correct approach to achieve something like this or is there anywhere else we should do this or another approach perhaps.
Labels:
0 Helpfuls
  • 447 Views
2 REPLIES 2

Mark Manders
Mega Patron

‎06-02-2025 11:35 PM

A scheduled job won't work, because it runs on a schedule, meaning that it will check at a certain time, not the moment it happens. So going with a BR is your way to go. 
You could ask yourself why you want this. The alert closes, because the issue is resolved (if that's not the case, your rules aren't set correctly). That means that service is back up and the incident is no longer an incident. This automation is in place to limit the work an agent/engineer needs to do.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
0 Helpfuls

LivashanN
Tera Contributor
In response to Mark Manders

‎06-02-2025 11:44 PM

100% correct so this is specifically relating to child alerts that link to a parent alert, so with the current setup we have that is a 1-1 relationship is works where that if the incident is assigned to an individual it will not close the alert.

 

This is for certain use cases we have where even if the alert is resolved meaning the issue is resolved, there is still action that is required from the engineer, whether being an investigation or something else hence only if it is assigned then it must not close.

So in the use case we have and are working on is that incident related to patching errors will close even though the server may be non-compliant, so the engineer might still work on getting the server compliant but from a patching error point of view it is fixed hence the alert closes, hope im making sense.

So when i do the business rule it works exactly as it should, just needed to find if there is anywhere specific within the default script include we should edit this to cater for more than just 1-1 relations but also parents to child alerts.

0 Helpfuls