Alert binding to CIs with event rules

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert binding to CIs with event rules

    Alert binding to Configuration Items (CIs) in ServiceNow's Event Management simplifies remediation by associating alerts with relevant CIs from the CMDB. This association enables efficient tracking and resolution of issues by showing the CI that caused an event directly on the alert.

    Show full answer Show less

    Event Management uses event rules and several mechanisms to automatically bind alerts to CIs during alert generation. The binding process evaluates event data such as node identifiers, alert type, and additional information to determine the appropriate CI.

    Alert Binding Process

    • When an event arrives, Event Management checks the node or CI identifiers.
    • If no node exists, the alert can bind using alert type, additional information, or CI identifier fields.
    • If a node value exists, it searches for a valid host.
    • If the event has both host and CI type, it attempts to bind to a device CI; otherwise, it tries to bind to an application CI.
    • Events do not bind by default to CIs with statuses like Retired, but this can be changed by adjusting system properties.

    Configuration for CI Status Binding

    By default, alerts do not bind to CIs with certain statuses such as "Retired." To include these, configure the evtmgmt.ignoreretiredcisinbinding property to false. Additionally, specify which CI statuses to include in binding via the evtmgmt.installstatuslisttoignoreinbinding property by listing status numbers (e.g., Installed, OnOrder, Retired).

    Binding Alerts to Applications on Hosts

    • Create an event rule filtering events by application type.
    • Override default binding and select binding by either CI identification or CI field matching.
    • Specify required class and attribute criteria to accurately bind alerts to the application CI.
    • If multiple matching applications exist on a host, the alert binds to the host CI instead of the application.
    • For cases without a CI type, populate the event's Node field with identifiers like CI name, FQDN, IP, or MAC address for successful binding.
    • Unique identifiers in JSON format can be used for binding—e.g., using MOID for VMware VM CIs.

    Binding Procedures and Use Cases

    • Bind alerts to a CI running on a host: Use event rules with CI identifiers to associate alerts with the correct CI.
    • Bind alerts to a specific host CI: Identify the host CI first, then bind device-level alerts accordingly.
    • Bind alerts to non-host CIs: Use event rules and field mappings (such as URL, port, IP) for discovered application services or alert groups.
    • Bind alerts to application CIs: Bind alerts to both the host and application CIs using event rule transform information.
    • Bind alerts using event field mapping: Efficiently bind alerts to multiple CIs without creating separate event rules for each CI.
    • Manual binding: Trigger new alerts to manually bind alerts to CIs when necessary.

    Benefits for ServiceNow Customers

    Understanding and configuring alert binding enables customers to automate the accurate association of alerts with their CIs, improving incident tracking and remediation efficiency. Proper binding ensures alerts carry critical CI context, facilitating better integration with IT Operations Management (ITOM) products and enhancing overall operational visibility.

    When alerts are associated with CIs, the task of remediation is simplified. During alert generation, Event Management uses event rules and other mechanisms to automatically bind alerts to a CI information from the CMDB. For tracking purposes and remediation, the alert shows information about the CI that caused the event.

    Alert binding process flow

    Alerts bind to CIs based on the following process flow:
    1. When an event arrives, Event Management checks the node or CI identifiers.
    2. If no node exists, the generated alert can bind to the CI using the alert Type, Additional information, or Configuration item identifier fields.
    3. If the event has a node value, search for a valid host.
    4. If the event has a host and a CI type, try to bind to a device CI.
    5. If the event has a host, try to bind to the application CI.
    Figure 1. How alerts bind to CIs
    How alerts bind to CIs

    The event can contain the binding process flow in its Processing Notes field.

    By default, events do not bind to CIs with a specified status, such as Retired. To enable binding events to these CIs, set the evt_mgmt.ignore_retired_cis_in_binding property to false.

    To specify the CI statuses to be included in the evt_mgmt.ignore_retired_cis_in_binding property, add the relevant status numbers to the evt_mgmt.install_status_list_to_ignore_in_binding property, as per the following table:

    Table 1. CI Statuses
    Status Number Status
    1 Installed
    2 OnOrder
    3 InMaintenance
    4 PendingInstall
    5 PendingRepair
    6 InStock
    7 Retired
    8 Stolen
    100 Absent
    Note:
    When adding more than one status, separate each status number with a comma.

    Tracking and remediation

    Alerts can be bound to CIs from the CMDB for tracking purposes and remediation. Event Management uses event rules and various mechanisms to automatically bind CIs to alerts. When information from an event populates a field with a value, the value either originates from the event source or from event rules. This enhances remediation, functionality, and integration with other ITOM products.

    Binding to an application running on a specific host

    If the event is specific to an application type, use the following steps to bind alerts to a specific application:
    1. Use the procedures in the Bind alerts to a CI running on a host using CI identifiers topic.
    2. Create an event rule with a filter that captures events on the application type you want.
    3. In the event rule, select Binding. Event Management binding
    4. Click Override default binding.
    5. In the Binding Type field, select either CI's Identification or CI field matching.
      1. For CI's Identification, specify the Class. Event Management binding
      2. In the Criterion attributes field, specify name and sys_class_name.

        Event Management binding

      3. In the Name Add Value field, specify the required name.
      4. In the Container level 1 area, specify the required values.
      5. If further container level fields appear, specify the required values.
    • For CI field matching, specify the required CI Type.
    • In the binding process, after the host is found, the algorithm matches all additional_info attributes that have the same name as CI fields for that CI type. If the match is successful, the event is bound to the CI.
    • If more than one matching application is found on the host, the alert is bound to the host and not to the application.
    Where there is no CI Type, for example, when binding alerts to an SQL server application when the CPU on sqlServer.exe is over 90%, do the following:
    • Populate the Node field in the event with the CI name, FQDN, IP, or MAC address value. The bind is successful even if the host has more than one IP address or MAC address.
    • If you want to use a unique identifier that is not one of those previously mentioned, populate the event rule CI Identifier (ci_identifier) field with one or more unique identifiers of the CI. This field should be in JSON format. For example, to use a unique identifier that is not one of those previously mentioned, add a CI Identifier (ci_identifier) filter field with one or more unique identifiers of the CI. If the host CI is VMWare VM, and it has a field called MOID, use the JSON format and specify: {"moid":"<CI moid>"}
    • Create an event rule with an event match field which maps the process name to the mapping variable sa_process_name. In this case, do not use the CI type.

    Binding procedures

    Use the procedures in these topics to bind alerts.