Business Rule to Avoid Duplicate Incidents?

jstoneiii
Kilo Expert

‎07-31-2014 12:54 PM

We send our Anti-Virus alerts to Service-Now for automatic Incident Creations. We are now using a Cloud based product with is much more aggressive with reporting so alerts are now sent in real time. The problem is that the product is so aggressive that we may receive the same alerts with-in minutes of each other.

 

I would like Service-Now to not create an Incident if another Incident is open for the same Caller which has the same Business Service, Category and Subcategory and if the ticket is not Resolved or Open. I've tried via Inbound Actions (with the help of several others) but that does not sound like a good solution.

 

To get a good idea of what I want I have posted my Inbound Action which is creating the Incidents. (Don't know if it useful in this case or not.) As you can see, I lookup the user name based off of the PC Name that is in the Alert to Call up the Caller ID and create a ticket for the user.

 

But I am stumped on how to eliminate duplicate tickets.

 

Any assistance would be appreciated!

 

Would a Business Rule be a better option? I would like to keep the below Inbound Action but have a Business Rule to not create a duplicate Incident.

 

Condition: email.subject.toLowerCase().indexOf("[fireamp subscription] [quarantine failure]") == 0 &&email.body_text.toLowerCase().indexOf("quarantine failure") > -1

Script:

//Look up user using their PC name:  

var grCI = new GlideRecord('cmdb_ci');  
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));  
grCI.query();  
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());  
if(grCI.next()) {  
gs.log('Found caller from CI');  
current.caller_id = grCI.assigned_to.sys_id;  
caller = grCI.assigned_to.sys_id;  
current.u_computer_name = grCI.sys_id;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;  
current.location = grCI.location;  
}else{  

gs.log('CI Not Found ');  
var sid = new GlideRecord('sys_user');  
sid.get('email', email.from);  
current.caller_id = sid;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;  
}  
current.u_business_service.setDisplayValue('FireAmp');  
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";  
current.state = 1;  
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();  
 
function   grabContent(str, startCon, endCon) {  
var startLen = startCon.length;  
var s = str.indexOf(startCon);  
var e = str.indexOf(endCon);  
var scrape = str.substring(s+startLen, e);  
return scrape;  
}  

event.state="stop_processing";

Labels:
0 Helpfuls
  • 5,204 Views
9 REPLIES 9

PeterWiles
Kilo Sage

‎08-01-2014 08:23 AM

Hi Johnny,



You can do it on a BR on insert to check for the duplicate and look-up the incident table for the various fields and if one is found, abort.



You could add the same script to the inbound action.



Pete


0 Helpfuls

JordanLind
Kilo Guru

‎08-01-2014 08:35 AM

HI Johnny,


For an inbound email action, this discussion may give you a head start:   https://community.servicenow.com/thread/162842


0 Helpfuls

jstoneiii
Kilo Expert
In response to JordanLind

‎08-01-2014 01:55 PM

Indeed Jordan, it did get me on the right track.



I'm having one small problem.



The below code works, but I need to base the check off of the caller_id, business service, category and subcategory because this is for virus notifications.



I tried some things, but am stumped. How can I query from that but not the subject line? The below checks all open incidents I believe, at least in my testing.



Thanks!



Here's the code!



//Check for Current Open Incident and Update


var eSubject = email.subject;
var grInc = new GlideRecord('incident');
var grEmail = new GlideRecord('sys_email');
var incUpdated = false;
grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^subject=' + eSubject);
grEmail.query();
if(grEmail.getRowCount != 0){
      while(grEmail.next() && incUpdated != true){
              grInc.get(grEmail.instance);
            if(grInc.active == true && grInc.state < 6){   //is the existing incident active and not in closed or resolved state
                      incUpdated = true;
                      grInc.work_notes = '\nFrom: ' + email.from + '\nTo: ' + email.to + '\nSubject: ' + email.subject + '\n\n' + email.body_text;
                      grInc.update();


              }


      }


}


if(incUpdated == false){               // If existing incident not found create new
//Look up user using their PC name:  

var grCI = new GlideRecord('cmdb_ci');  
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));  
grCI.query();  
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());  
if(grCI.next()) {  
gs.log('Found caller from CI');  
current.caller_id = grCI.assigned_to.sys_id;  
caller = grCI.assigned_to.sys_id;  
current.u_computer_name = grCI.sys_id;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;  
current.location = grCI.location;  
}else{


gs.log('CI Not Found ');  
var sid = new GlideRecord('sys_user');  
sid.get('email', email.from);  
current.caller_id = sid;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;  
}  
current.u_business_service.setDisplayValue('FireAmp');  
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";  
current.state = 1;  
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();   }
 
function   grabContent(str, startCon, endCon) {  
var startLen = startCon.length;  
var s = str.indexOf(startCon);  
var e = str.indexOf(endCon);  
var scrape = str.substring(s+startLen, e);  
return scrape;  
}


event.state="stop_processing";


0 Helpfuls

PeterWiles
Kilo Sage
In response to jstoneiii

‎08-03-2014 11:49 PM

Hi Johnny,



From your code, the line that checks for outstanding calls is:


grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^subject=' + eSubject);



You need to change this to be looking up the required fields. You can either do this by creating a new encoded string or making it up with the addQuery function.   The easiest way to do an encoded string is to filter a list view on what you are looking for, right click it and select "copy query". As I don't know your field names, you will need to do this yourself but I assume it will look something like:



sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=SYS_ID_OF_USER^business_service=SYS_ID_OF_BUSINESS_SERVICE^category=VALUE_OF_CATEGORY^subcategory=VALUE_OF_SUBCATEGORY



Pete


0 Helpfuls