Business Rule to Avoid Duplicate Incidents?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-31-2014 12:54 PM
We send our Anti-Virus alerts to Service-Now for automatic Incident Creations. We are now using a Cloud based product with is much more aggressive with reporting so alerts are now sent in real time. The problem is that the product is so aggressive that we may receive the same alerts with-in minutes of each other.
I would like Service-Now to not create an Incident if another Incident is open for the same Caller which has the same Business Service, Category and Subcategory and if the ticket is not Resolved or Open. I've tried via Inbound Actions (with the help of several others) but that does not sound like a good solution.
To get a good idea of what I want I have posted my Inbound Action which is creating the Incidents. (Don't know if it useful in this case or not.) As you can see, I lookup the user name based off of the PC Name that is in the Alert to Call up the Caller ID and create a ticket for the user.
But I am stumped on how to eliminate duplicate tickets.
Any assistance would be appreciated!
Would a Business Rule be a better option? I would like to keep the below Inbound Action but have a Business Rule to not create a duplicate Incident.
Condition: email.subject.toLowerCase().indexOf("[fireamp subscription] [quarantine failure]") == 0 &&email.body_text.toLowerCase().indexOf("quarantine failure") > -1
Script:
//Look up user using their PC name:
var grCI = new GlideRecord('cmdb_ci');
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));
grCI.query();
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());
if(grCI.next()) {
gs.log('Found caller from CI');
current.caller_id = grCI.assigned_to.sys_id;
caller = grCI.assigned_to.sys_id;
current.u_computer_name = grCI.sys_id;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;
current.location = grCI.location;
}else{
gs.log('CI Not Found ');
var sid = new GlideRecord('sys_user');
sid.get('email', email.from);
current.caller_id = sid;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;
}
current.u_business_service.setDisplayValue('FireAmp');
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";
current.state = 1;
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();
function grabContent(str, startCon, endCon) {
var startLen = startCon.length;
var s = str.indexOf(startCon);
var e = str.indexOf(endCon);
var scrape = str.substring(s+startLen, e);
return scrape;
}
event.state="stop_processing";
- Labels:
-
Incident Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2014 08:23 AM
Hi Johnny,
You can do it on a BR on insert to check for the duplicate and look-up the incident table for the various fields and if one is found, abort.
You could add the same script to the inbound action.
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2014 08:35 AM
HI Johnny,
For an inbound email action, this discussion may give you a head start: https://community.servicenow.com/thread/162842
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2014 01:55 PM
Indeed Jordan, it did get me on the right track.
I'm having one small problem.
The below code works, but I need to base the check off of the caller_id, business service, category and subcategory because this is for virus notifications.
I tried some things, but am stumped. How can I query from that but not the subject line? The below checks all open incidents I believe, at least in my testing.
Thanks!
Here's the code!
//Check for Current Open Incident and Update
var eSubject = email.subject;
var grInc = new GlideRecord('incident');
var grEmail = new GlideRecord('sys_email');
var incUpdated = false;
grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^subject=' + eSubject);
grEmail.query();
if(grEmail.getRowCount != 0){
while(grEmail.next() && incUpdated != true){
grInc.get(grEmail.instance);
if(grInc.active == true && grInc.state < 6){ //is the existing incident active and not in closed or resolved state
incUpdated = true;
grInc.work_notes = '\nFrom: ' + email.from + '\nTo: ' + email.to + '\nSubject: ' + email.subject + '\n\n' + email.body_text;
grInc.update();
}
}
}
if(incUpdated == false){ // If existing incident not found create new
//Look up user using their PC name:
var grCI = new GlideRecord('cmdb_ci');
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));
grCI.query();
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());
if(grCI.next()) {
gs.log('Found caller from CI');
current.caller_id = grCI.assigned_to.sys_id;
caller = grCI.assigned_to.sys_id;
current.u_computer_name = grCI.sys_id;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;
current.location = grCI.location;
}else{
gs.log('CI Not Found ');
var sid = new GlideRecord('sys_user');
sid.get('email', email.from);
current.caller_id = sid;
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;
}
current.u_business_service.setDisplayValue('FireAmp');
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";
current.state = 1;
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert(); }
function grabContent(str, startCon, endCon) {
var startLen = startCon.length;
var s = str.indexOf(startCon);
var e = str.indexOf(endCon);
var scrape = str.substring(s+startLen, e);
return scrape;
}
event.state="stop_processing";
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-03-2014 11:49 PM
Hi Johnny,
From your code, the line that checks for outstanding calls is:
grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^subject=' + eSubject);
You need to change this to be looking up the required fields. You can either do this by creating a new encoded string or making it up with the addQuery function. The easiest way to do an encoded string is to filter a list view on what you are looking for, right click it and select "copy query". As I don't know your field names, you will need to do this yourself but I assume it will look something like:
sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=SYS_ID_OF_USER^business_service=SYS_ID_OF_BUSINESS_SERVICE^category=VALUE_OF_CATEGORY^subcategory=VALUE_OF_SUBCATEGORY
Pete