Business Rule to Avoid Duplicate Incidents?

jstoneiii
Kilo Expert

We send our Anti-Virus alerts to Service-Now for automatic Incident Creations. We are now using a Cloud based product with is much more aggressive with reporting so alerts are now sent in real time. The problem is that the product is so aggressive that we may receive the same alerts with-in minutes of each other.

 

I would like Service-Now to not create an Incident if another Incident is open for the same Caller which has the same Business Service, Category and Subcategory and if the ticket is not Resolved or Open. I've tried via Inbound Actions (with the help of several others) but that does not sound like a good solution.

 

To get a good idea of what I want I have posted my Inbound Action which is creating the Incidents. (Don't know if it useful in this case or not.) As you can see, I lookup the user name based off of the PC Name that is in the Alert to Call up the Caller ID and create a ticket for the user.

 

But I am stumped on how to eliminate duplicate tickets.

 

Any assistance would be appreciated!

 

Would a Business Rule be a better option? I would like to keep the below Inbound Action but have a Business Rule to not create a duplicate Incident.

 

Condition: email.subject.toLowerCase().indexOf("[fireamp subscription] [quarantine failure]") == 0 &&email.body_text.toLowerCase().indexOf("quarantine failure") > -1

Script:

//Look up user using their PC name:  

var grCI = new GlideRecord('cmdb_ci');  
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));  
grCI.query();  
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());  
if(grCI.next()) {  
gs.log('Found caller from CI');  
current.caller_id = grCI.assigned_to.sys_id;  
caller = grCI.assigned_to.sys_id;  
current.u_computer_name = grCI.sys_id;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;  
current.location = grCI.location;  
}else{  

gs.log('CI Not Found ');  
var sid = new GlideRecord('sys_user');  
sid.get('email', email.from);  
current.caller_id = sid;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;  
}  
current.u_business_service.setDisplayValue('FireAmp');  
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";  
current.state = 1;  
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();  
 
function   grabContent(str, startCon, endCon) {  
var startLen = startCon.length;  
var s = str.indexOf(startCon);  
var e = str.indexOf(endCon);  
var scrape = str.substring(s+startLen, e);  
return scrape;  
}  

event.state="stop_processing";

9 REPLIES 9

Thanks Peter!



That definitely helped as I can map to the Business Service now.



I'm having a tough time pulling up the caller though. No matter who the caller is (as determine by my script to create the caller based on asset assignment) it fails to update the Incident because it's only matching the Business Service Field.



My field in the incident form is incident.caller_id and it is pulling from the sysy_user field.



Any ideas on what I am doing wrong? The User label's sysy ID is 72663d990a0a3c7401f5483edad7087



grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=72663d990a0a3c7401f5483edad70874^business_service=4fab5f11508181006bb24baec3e373ad');


The below works for me.



I just need to be able to pull in the Computer Name or Caller-ID and eliminate the date range.



As you can see from below I have a field named u_computer_name on the Incident form.



I just can't seem to query it and compare it though.



The below stops anything with a subcategory of infected.



Any help is appreciated.



Thanks!




//Check for Current Open Incident and Update


var grInc = new GlideRecord('incident');
var grEmail = new GlideRecord('sys_email');
var incUpdated = false;
grEmail.addEncodedQuery('sys_created_onONToday@javascript:gs.daysAgoStart(0)@javascript:gs.daysAgoEnd(0)^caller_id=SYS_ID_OF_USER^subcategory=infected');
grEmail.query();
if(grEmail.getRowCount != 0){
      while(grEmail.next() && incUpdated != true){
              grInc.get(grEmail.instance);
            if(grInc.active == true && grInc.state < 6){   //is the existing incident active and not in closed or resolved state
                      incUpdated = true;
                      grInc.work_notes = '\nFrom: ' + email.from + '\nTo: ' + email.to + '\nSubject: ' + email.subject + '\n\n' + email.body_text;
                      grInc.update();


              }


      }


}


if(incUpdated == false){               // If existing incident not found create new
//Look up user using their PC name:  

var grCI = new GlideRecord('cmdb_ci');  
grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));  
grCI.query();  
gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());  
if(grCI.next()) {  
gs.log('Found caller from CI');  
current.caller_id = grCI.assigned_to.sys_id;  
caller = grCI.assigned_to.sys_id;  
current.u_computer_name = grCI.sys_id;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + grCI.assigned_to.location;  
current.location = grCI.location;  
}else{  


gs.log('CI Not Found ');  
var sid = new GlideRecord('sys_user');  
sid.get('email', email.from);  
current.caller_id = sid;  
current.comments = "received from: " + email.origemail + "\n\n" + email.body_text + sid.location;  
}  
current.u_business_service.setDisplayValue('FireAmp');  
current.category.setDisplayValue('Other');
current.subcategory.setDisplayValue('Infected');
current.assignment_group.setDisplayValue('Service Desk');
current.state = 1;
current.urgency = 1;
current.contact_type = "Automated Alert";  
current.state = 1;  
current.short_description = "Attention — FireAmp Security: Action Required — Machine Infected";
current.insert();   }
 
function   grabContent(str, startCon, endCon) {  
var startLen = startCon.length;  
var s = str.indexOf(startCon);  
var e = str.indexOf(endCon);  
var scrape = str.substring(s+startLen, e);  
return scrape;  
}  


event.state="stop_processing";


In the second part when you are looking for the user PC details, can you not do this first?



So:


Get email details.


Check computer name and get assigned user


Do look-up against the incidents table to look for your criteria:


    If found update


    if NOT found, create new.



But for virus alerts. I assume this is against the CI and not the user so maybe you just need to look up the category/subcategory/CI fields and leave off everything else? Though this would depend on your process.



Pete


Right Pete,I need to Quey off of Subcategory and the CI. On our Incideent form there is a field called Computer Name which essentially replaces the field called Configuration Item.   So check for Incident open under those two criteria.



Any advice is appreciated!!!!


Hope the below makes sense. I have not put in the full code snippets but you should be able to copy and paste   the call logging parts from your code.




//Get user/CI details


var grCI = new GlideRecord('cmdb_ci');  


grCI.addQuery('name', grabContent(email.body_text, "Computer: ", ".wagged.local"));  


grCI.query();  


gs.log('grCI Query: ' + grCI.getEncodedQuery() + ' = ' + grCI.getRowCount());  




if(grCI.next()) {  


            gs.log("Found CI');  


          //Do lookup on incident table for any outstanding calls




      var grInc = new GlideRecord('incident');


      grIInc.addQuery("subcategory", "Infected");


      grlInc.addQuery("cmdb_ci", grCI.sys_id);


      grlInc.addQuery("active" true); //Probably   need to change this to your active states.


        grlInc.query();




      if(grlnc.next())


        {


                //Call found so update call with details from the email.




      }


      else


    {


          //No call found so log call against the CI and assigned user




  }


}


else


{


              gs.log("CI not found so log a generic call");


}