Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Set a threshold to suppress alert generation

Set a threshold to suppress alert generation

If Event Management receives multiple events for a device in a short period, it might indicate a serious condition, so you might want an alert to be generated. However, if events for a device are received at longer intervals, the condition might not be serious, so you might want to suppress alert generation. The threshold is the rate where Event Management generates an alert.

Before you begin

Role required: evt_mgmt_admin

About this task

You can configure the properties in an event rule to suppress alert generation, create alerts, or close existing alerts according to a threshold based on the value of event fields or number of occurrences, over a period.
Note: Field Name can be the name of any numeric field in the Additional information field of the event. Therefore, if CPU is an additional information field for a specific event, then CPU can be used as a Field Name.
Assume that you want to generate an alert when CPU utilization reaches or exceeds 80% three times with no more than 20 seconds between any two consecutive events. Create an event rule with these settings (an explanation for each value is given in parentheses):
  • Create Alert Operator: >= (operator to determine whether utilization of Field Name reaches or exceeds the specified value)
  • Field Name: CPU (events regarding high CPU usage)
  • Threshold Value: 80 (percent)
  • Occurs: 3 (three events occur where the CPU usage is at or above ">=" 80%)
  • Over(seconds): 20 (20 seconds or less between events)
To demonstrate how the preceding settings are evaluated, assume that the following events are received:
First scenario
Reported elapsed time and the CPU usage for each event:
  • First event elapse time 20, CPU=85
  • Second event elapse time 40, CPU=80
  • Third event elapse time 60, CPU=70

In this scenario, no alert is generated since one event has a CPU utilization that is under 80%.

Second scenario
Reported elapsed time and the CPU usage for each event:
  • First event elapse time 20, CPU=85
  • Second event elapse time 40, CPU=90
  • Third event elapse time 70, CPU=95

In this scenario, an alert is not generated since the elapsed time in one event is over the specified 20 seconds.

Third scenario
Reported elapsed time and the CPU usage for each event:
  • First event elapse time 20, CPU=85
  • Second event elapse time 40, CPU=95
  • Third event elapse time 60, CPU=90

In this scenario, an alert is generated since in all events the elapsed time is within the specified time and the CPU usage is over 80%.

Note: When configuring an event rule to create or close alerts according to a threshold, events that arrive at the same second, as determined by the time_of_event field, are skipped. This occurs because these events are considered to be duplicates.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Create or open an event rule.
  3. Click Threshold.
  4. Select Active. If Active is not selected, the fields in this screen are read-only.
  5. In the Create Alert Operator field, select an operator.
    • If you select Count, specify the corresponding Occurs and Over(Seconds) fields.
    • If you select any operator other than Count, the Threshold Metric and Value fields appear. Specify the required values in these fields.
      Note: The value of the Threshold Value property can be the name of any field in the Additional information of the event. For example, if CPU is a field in Additional information for a specific event, then CPU can be used as the Threshold Value.
    • In the Occurs field, specify the required value.
    • In the Over(Seconds) field, specify the required period.
  6. To automatically close alerts, in the Close Alert Operator field, select an operator. Extra fields appear according to your selection.
    • If Count is specified as the operator for the Create Alert Operator field, then the selection in the Close Alert Operator field is either None or Idle. Specify the required value.
    • If you select Idle, then configure the Over(Seconds) field.
    • In the Close Alert Operator field, if you select an operator other than Idle, then configure the Value, Occurs, and Over(Seconds) fields.
  7. Click Save or Submit.
To create an alert when a specific event occurs 5 times in 10 minutes, in Threshold:
  1. In the Threshold Metric field, specify the name of any field that exists in the Additional information field in the event. The value of the field is irrelevant.
  2. In the Create Alert Operator field, select Count.
  3. In the Occurs field, specify 5.
  4. In the Over field, 600 (10 * 60 seconds).
  5. Click Save or Submit.

To create an alert when a specific event occurs 5 times in 10 minutes with a metric value greater than 55. Assume that “metric_value” is a field in the Additional information of the event. Specify:

  1. Select the Active check box.
  2. In the Create Alert Operator field, select >=.
  3. In the Threshold Metric field, specify metric_value.
  4. In the Value field, specify 55.
  5. In the Occurs field, specify 5.
  6. In the Over field, specify 600 (10 * 60 seconds).
  7. Click Save or Submit.