Operator phase 2: Triage an alert
After you analyze and acknowledge an alert, you must triage it. The triage phase involves verifying alert correlation and taking an action to help resolve the issue that caused the alert. This topic covers the most common triage task: creating an incident from an alert.
Avant de commencer
Remarque :
The Operator Workspace interface is available only to customers who have upgraded from a release prior to the Utah release. New customers as of the Utah release can use the Service Operations Workspace for ITOM, which offers an enhanced UI for managing alerts.
Phase 1 |
|
|
Phase 2 |
|
Triage alerts |
Phase 3 |
|
Role required: evt_mgmt_operator
Procédure
-
Before you start to work on the alert, check whether other alerts should be
correlated with the one you just reviewed:
-
Open the secondary alert, click the lookup icon (
) in the Parent field, and then select the
primary alert.
This creates a primary (parent) / secondary (child) relationship between the two alerts. -
Navigate back to the Service Operations Workspace dashboard
and verify that the primary alert displays an icon in the
Group column.
Remarque :Your administrator can set up rules that let the system automatically correlate alerts so that you do not need to do so manually. In that case, a Feedback field appears on the Alert form. Select Yes if the system correlated the alert correlated correctly, or No if not. Currently, the feedback option is available but does not trigger further actions after being logged.
-
Open the secondary alert, click the lookup icon (
-
On the Alert form, click .
If your organization uses Security Incident Response, the button is Create Security incident.The Flow Designer opens.
-
Click Refresh.
The Execution Details page opens.
-
Click Open Context Record and then fill in the Incident
form.
Field Description Caller Click the lookup icon ( ) and then select your name. The caller is the
person who discovered the issue that led to the
incident.Category and Subcategory Select a category that best describes this alert. In this example, Database is the best choice. Application service
Select the application service to which the CI belongs. In this example, the application service is Web portal.
Configuration item If it is not already populated, select the CI. In this example, the Oracle database (PS ORA01) is automatically populated into the field. Impact and Urgency Select the impact and urgency levels that you think appropriate. Assignment group
Assigned to
Click the lookup icons ( ) for both or either of these fields, and then
select the group or the individual that can handle the
issue. -
Click Submit to create the incident.
The Alert you are working on reappears. On the Alert form, the incident is populated in the Task field. You can also see the incident number in the Task column on the Service Operations Workspace dashboard.
Que faire ensuite
There are other tasks you perform as part of the triage stage:
- Run a remediation workflow on an alert if your Event Management administrator already set up a workflow in your ServiceNow instance and your policies allow you to trigger it from the alert.
- Launch a web application from an alert to open a website or an event monitoring tool that provides more information about the alert.
- Associate a knowledge base article with an alert if there is existing information about the alert that might help resolve the underlying issue.
- Put an alert into maintenance to temporarily hide it from the Service Operations Workspace dashboard if the alert does not require action at this time.
If you do not need to perform any other triage actions, proceed to Phase 3: Close an alert.