Event Management subflows in the base system

Xanadu IT Operations Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Event Management subflows in the base system

Release version: Xanadu

Updated August 1, 2024

3 minutes to read

Summarize

Summarized using AI

Summary of Event Management subflows in the base system

ServiceNow provides a set of preconfigured subflows within the base Event Management system to automate alert remediation processes. These subflows appear in the Remediation Subflows area of Alert Management Rules and can be easily accessed and configured to streamline incident and alert handling workflows.

Show full answer Show less

Accessing and Using Subflows

To access these subflows, navigate to Event Management > Rules > Alert Management Rules, create a new rule, then go to the Actions tab. In the Remediation Subflows area, you can add subflows by searching and selecting from the base system's available options. These subflows automate actions such as acknowledging alerts, creating incidents, or closing alerts.

Key Subflows Provided

Acknowledge Alert: Marks an alert as acknowledged to indicate further attention is needed.
Attach Knowledge Article (legacy): Attaches a knowledge article to an alert, primarily for instances migrated from pre-London releases.
Change Alert to Maintenance Mode: Marks the alert as in maintenance, temporarily suppressing incident creation.
Close Alert: Closes the alert in the system.
Create Incident: Creates an incident using fields from the alert, unless the alert is in maintenance or already linked to an incident. Supports rules to avoid incident creation for secondary alerts.
Create Major Incident Candidate: Generates a major incident candidate from the alert, which can later be escalated; creation is prevented if the alert is in maintenance, linked to an incident, or is a secondary group role.
Create Major Incident from Alert: Creates a major incident directly from the alert under similar conditions as above.
Create Major Incident with Impact: Similar to creating a major incident but includes the impact field as additional input.
Create Major Incident Candidate with Impact: Creates a major incident candidate with impact information included.
Create Task (legacy): Uses task templates or legacy scripts to create tasks, mainly for instances migrated from older releases.
Overwrite Alert Template (legacy): Applies alert templates, also primarily for legacy migrated instances.

Practical Considerations

When configuring Alert Management rules, you can select and customize these subflows to fit your operational needs. For legacy subflows, ensure relevant columns such as Knowledge article, Task template, or Task type are added to the Alert Management Rules [emalertmanagementrule] table to enable their functionality.

Subflows respect alert states such as Maintenance mode and existing incident links to prevent redundant or inappropriate task and incident creation. Additionally, properties like evtmgmt.avoidintenabled can be enabled to control incident creation for secondary alerts, optimizing incident management efficiency.

For advanced customization, you can create your own subflows to tailor remediation actions specific to your environment.

The subflows provided with the base system appear in the Remediation Subflows area of alert management rules.

Accessing the subflows

Navigate to Event Management > Rules > Alert Management Rules and click New. Click the Actions tab. In the Remediation Subflows area, double-click the Insert a new row field.

Specify subflow

Click the search icon to add subflows. The list of subflows that are provided with the base system appears.

Table 1. Subflows in the base system
Name	Description
Acknowledge Alert	Subflow to mark the alert as being Acknowledged. Acknowledge an alert to show that further attention is required.
Attach Knowledge Article (legacy)	Subflow to attach a knowledge article to the alert. This subflow is provided for instances that are migrated from legacy releases (prior to the London release). Note: Add the Knowledge article column to the Alert Management Rules [em_alert_management_rule] table, and select an article to attach to an alert when the rule executes.
Change Alert to Maintenance Mode	Subflow to mark the alert as being in Maintenance.
Close Alert	Subflow to mark the alert as being Closed.
Create Incident	Subflow to create an incident. Fields from the alert are used to populate the matching fields in the incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. The alert management job runs even if the alert grouping job is not complete, if a specified time frame has passed. When this occurs, you can enable the Avoid INTs on secondary alerts rule to prevent incidents from being created for secondary alerts (when the evt_mgmt.avoid_int_enabled property is enabled), since an incident already exists for the primary alert.
Create Major Incident Candidate	Subflow to create a major incident candidate. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, a major incident candidate is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident from Alert	Subflow to create a major incident from alert. Fields from the alert are used to populate the matching fields in the major incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident with Impact	Subflow to create a major incident from an alert in which the Impact field is also taken as input. Fields from the alert are used to populate the matching fields in the major incident that is created. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, an incident is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Major Incident Candidate with Impact	Subflow to create a major incident candidate in which the Impact field is also taken as input. Fields from the alert populate the matching fields in the major incident candidate that is created. A major incident candidate can be upgraded to become a major incident. Note: If there is an existing incident that is attached to the alert, this subflow is not activated. If the alert is in Maintenance, a major incident candidate is not created. If the Role in group is Secondary, the major incident candidate is not created.
Create Task (legacy)	This subflow uses a task template, if provided, or the EventMgmtCustomIncidentPopulator script for instances migrated from legacy releases (prior to the London release). If configured, apply the task template. Note: Add the Task template column to the Alert Management Rules [em_alert_management_rule] table, and select a task template and task to apply when the rule executes.
Overwrite Alert Template (legacy)	This subflow applies the alert template. This subflow is provided for instances that are migrated from legacy releases (prior to the London release). Note: Add the Task type column to the Alert Management Rules [em_alert_management_rule] table, and select an alert template to apply when the rule executes.

Select the subflow that you need.
To customize a subflow, see Create a custom subflow. This topic also describes the input parameters in a subflow.
To specify when the workflow must be executed, double-click the cell under Execution.
.