[Event Management] About threshold-event rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-13-2017 07:35 PM
Hi guys,
I have a requirement that create an alert if an event occurs four times in 24 hours. For now the "Over(seconds)" field in "Threshold" tab of event rule specifies the seconds between each event but the requirement is an event occurs four times within 24 hours. Is there any solution for this requirement? I knew that we can use Business Rule to do that but the end user want to configure that rule for themselves.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2017 04:11 PM
The "Over (seconds)" field represents the overall time that the number of events occur over, not the interval between individual events. So the Event Rule Threshold operation should be able to support your scenario if you set this field to 86,400, assuming the Create Alert Count is set to Count, Occurs is set to 4, and you've specified a Threshold Metric (use any JSON pair in the additional_info field... create one in an Event Rule if you need to).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-19-2017 08:03 PM
Hi Tony,
Thank you for your reply!
In this example, the "Over(seconds)" field represent the time between each event. And in my ServiceNow instance, I have configured as your comment but that field still represent the time between each event. Please take a look at my attached image: the first 4 events were not generated within 24 hours but the Alert0011259 was still created.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-19-2017 08:32 PM
Were the events you generated received by the instance over a period of more than 24 hours, or did you set the Time of Event field to different times in the four events and create them in the instance in less than 24 hours? The way the Threshold count condition works is that it counts the events based on the created field, not the time_of_event field.
In order to test this you could try creating 2 events on one day, and then create 2 events on the following day, ensuring the 4 events are spaced more than 24 hours apart - no alert should be generated in that case. If 4 events are created anytime within 24 hours an alert will be created.
