Create or edit an alert action rule

Select the conditions that an alert must match for the rule to apply and configure actions that the rule can execute for matching alerts. Configure alert action rules to remediate alerts and CI remediation rules to remediate a set of CIs.

Before you begin

To enable remediation, create the workflow to remediate CIs. In the workflow settings, select Remediation Task [em_remediation_task] in the Table field. After you finish configuring the workflow, make sure you publish it.

Role required: evt_mgmt_admin

About this task

You can configure the alert action rule to:
  • Use an overwrite alert template to automatically modify alert field values before creating or updating an alert.
  • Use a task template to automatically generate resolution tasks based on alert values, before the alert is created or updated.
  • Automatically generate and link incidents, tasks, or knowledge articles to alerts.
  • Automatically apply a remediation workflow or enable users to manually run remediation.
  • Automatically construct a URL that is created according to the value of specified fields in the alert.

The default create/resolved incidents by alerts Event Management scheduled job runs every 11 seconds. It checks alert action rules and acts accordingly.

Note: If more than one alert action rule can apply to an alert, if the alert action rules resolve the alert with the same action, then only one alert action rule is applied, according to order. However, if each of the rules resolves the alert with a different action, then each of these rules apply. For example, if one alert action rule creates a KB and another alert action rule creates an incident, then both alert action rules are applied.
This workflow depicts actions, as specified in the rule, that take place at the same time when a scheduled job runs.
Figure 1. Alert action rule workflow showing scheduled job
Alert action rule main workflow

Simultaneously, while the scheduled job runs, a running business rule also acts as specified in the rule.

This workflow depicts actions that take place at the same time when a business rule runs on insert only.
Figure 2. Alert action rule workflow showing business rule

Alert action rule business service workflow


  1. Navigate to Event Management > Rules > Alert Action Rules.
  2. Click New or select an alert action rule to edit.
    Figure 3. Alert Action Rule form
    Alert Action Rule form
  3. Fill in the fields, as appropriate.
    Table 1. Alert Action Rule form
    Field Description
    Name Descriptive text to identify the alert action rule.
    Active Select to activate the rule.
    Alert filter The conditions that an alert must meet for the rule to apply. Use the condition builder to construct the rule.
    Order The priority for rule evaluation. Rules with lower-order values are given priority. An alert is checked against every alert action rule until a match is found.
    Action tab
    Auto acknowledge Select to enable automatic acknowledgment of the alert. An acknowledged alert indicates that a user is aware of the issue.

    If this check box is cleared, users must manually acknowledge the alert.

    Overwrite alert template The template that is used to overwrite alert values before additional resolution updates occur. The template is applied on the creation of a new alert, before the business rule is run.
    Knowledge article A link to the knowledge base article that contains additional information to help resolve the alert.
    Auto open Select to automatically open a task, such as an incident, change, or problem. This action occurs once only.
    Type The type of task to create and attach to the alert. For example, if Problem is selected, a problem task is generated with information from the alert.
    Task template The template that assigns actions to the task Type. For example, a task template can assign a person or group to address a Problem task.

    When a Type is selected, the template applies, regardless of the Auto open setting in the alert action rule. For example, the template can apply to manual or auto-generated tasks as long as an alert action rule applies to the alert.

    The template is applied on the creation of a new alert, before the business rule is run. This action occurs once only for each event.

    Remediation tab
    Enable remediation Select to enable remediation with an Orchestration workflow. This action occurs once only for each event.
    Execution Whether the workflow selected in the Orchestration workflow field is automatically invoked or users can invoke it manually.
    Orchestration workflow If the Enable remediation check box is selected, the remediation workflow runs. This action occurs once only for each event.
    Launcher tab
    Enable Select to launch web-based applications from the Alert Console or dashboard alert panel. This action occurs once only for each event.
    Display Name A descriptive name for the window that appears when users launch the application.
    URL A dynamic URL that uses specified fields in the alert, including the Source and Additional Information fields. For example, the values in these fields in the alert replace the parameters in the URL: http://${source}.com/${}.

    In an alert, the value in the Source field is used for the {source} section of the URL.

    The Additional Information field contains a JSON code with the value of {my_application}, such as {'my_application':'application_name'}.
  4. Click Submit or Update.