When you create events in ServiceNow, source tool sends the information to event table 'em_event' for example, node, severity, type, resource name, metric etc., Source tool typically sends a PROBLEM event [info, warning, minor, major, critical] to signal something is wrong with the system it is monitoring [for example CPU is above 90%] and a CLEAR event to signify the issue is Cleared [CPU is below threshold value of 80%].
You can create an event rule to apply event filtering, transform, threshold and binding configuration. Without any event rules, event would still create an alert in em_alert table. When the source tool sends the CLEAR event, alert will be closed automatically using message key relationship.
One of the key fields when it comes to Event Management is 'Message Key'. Source tool will send a problem event with unique message key with one of PROBLEM severities [info and above] and when issue is cleared, it sends a CLEAR event with same 'Message Key'. This will help to identify the clear event should close the alert it opened for PROBLEM event.
When source do not send message key, combination of source+node+type+resource+metric name is taken as message key and when a CLEAR event is received for same combination, it updates alert opened for a PROBLEM event to status of 'Closed'
When source sends an event to ServiceNow, alert is created in ServiceNow and when CLEAR event is sent from source, alert is set to status == 'Closed'.
You can refer detailed knowledge article on Alerts lifecycle from below link,
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0753955
Alert is closed by event or user action or alert management rules. Refer below subflow,
You can find more information from below documentation link on Alert grouping process and lifecycle,
If this helped to answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
