Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Create an alert management rule

Log in to subscribe to topics and get notified when content changes.

Create an alert management rule

Create an alert management rule to track alerts and resolve them by determining the required response, for example, to open an incident, or launch remediation action.

Before you begin

To enable remediation with a subflow, you can use a subflow that is available with the base system, or you can create your own subflow. To create a custom subflow, navigate to Flow Designer > Designer. In the Flow Designer window, click Subflows. Click Alert Management Template. The template opens in Flow Designer in read-only format. Click the more actions icon More actions icon and select Copy subflow. In the New Subflow Name field, enter the name of the new subflow. If you want to limit the application scope of the subflow, in the Application field select the required application. Click Copy. In the Flow Designer editor, you can specify values for the fields, add actions, flow logic, and subflows. For example, click Action, select Alert Management Content and then select Update Execution With Task. Continue by entering information in the required fields and then click Done. To save the subflow in draft status, click Save. To save and publish the subflow so that it can be used in the alert management rule designer, click Publish. For more information about using Flow Designer, see Create a subflow.

To enable remediation with a workflow, create the workflow to remediate alerts. Navigate to Workflow > Workflow Editor. In the Welcome tab of the Workflow Editor, click New Workflow. In the Table field, select Remediation Task [em_remediation_task] Workflow table

After you finish configuring the workflow, make sure that you publish it. For information about creating a workflow, see Create a workflow.

Role required: evt_mgmt_admin

About this task

Use alert management rules to track and resolve alerts.

While working in the alert management rule designer, you can work in multiple sections without losing information in any section.

Note: Alert management rules that are not configured to perform any action are skipped and the rule is automatically set to inactive.
Create alert management rules that:
  • Locate other alert management rules that have relevance to the selected alert.
  • Determine when the execution of the rule takes place.
You can configure alert management rules to:
  • Automatically generate and link incidents, tasks, or knowledge articles to alerts.
  • Automatically apply a remediation workflow or enable users to manually run remediation.
  • Automatically construct a URL that is created according to the value of specified fields in the alert.

To assist you, several alert management rules are provided with the base system. You can use them as presented or you can use them as examples to build custom alert management rules.

Table 1. Alert management rules provided with the base system
Rule Description Active
Open sensor dashboard in PRTG The sensor dashboard in the Paessler PRTG Network Monitor (PRTG) application opens. Yes
Oracle EM Launch Target Status and View Events Launch Oracle Enterprise Manager to view:
  • Target Status
  • Event for alerts from source Oracle EM
Yes
Drilldown to OMI Drill down to the HP Operations Manager i (OMi) application. Yes
Create Incident on Primary Critical Alert Create an incident for primary critical alerts. The incident can be created automatically or manually. No
Search Google for "description" Open Google Search in a browser to search for data according to the description that appears in the alert. Yes
Create Incident Create an incident for all alerts that are not in maintenance state. The rule runs automatically on selective update. No
Create Incident Manually Manually create an incident for alerts that are not in maintenance state. Yes
Create Major Incident Candidate Create a major incident candidate for all alerts that are not in maintenance state and are not secondary alerts.

A major incident candidate can be promoted to become a major incident.

No
Create Major Incident Create a major incident for all alerts that are not in maintenance state and are not secondary alerts. No
If your instance was upgraded from Kingston, the alert action rules that were provided with the Kingston base system are available to you. However, if you modified any of the rules, the changes made are not carried over.

Procedure

  1. Navigate to Event Management > Rules > Alert Management.
  2. Click New.
  3. On the form, fill in the fields.
    Table 2. Alert Management Rule form
    Field Description
    Name Unique name for the rule.
    Active Check box for enabling the rule.
    If this check box is selected, you must specify:
    • in the Alert Filter section, an alert filter
    • in the Actions section, at least one of any of these actions:
      • active subflow
      • workflow
      • quick response
    Order Order in which rules are evaluated when multiple rules are defined for the same alert. Alert management rules are evaluated in ascending order. The default value is 100.
    Multiple alert rules Instruction about whether to search for additional rules:
    • Search for additional rules–execute the current rule then continue and execute other matching rules by the order of rule priority, where the lower number has the higher priority.
    • Stop search for additional rules–execute only the current rule for the alert that matches the defined filter.
    Description Descriptive text to describe the rule.
  4. Click Alert Filter and specify conditions for alerts that this rule is applied to.
  5. On the form, fill in the fields.
    Table 3. Alert Filter stage
    Field Description
    Rule is activated when Rule execution takes place when:
    • Alert changes to filter–content changes to the alert cause the alert to match the filter. If the filter is matched on following update of the alert, the rule is not applied. If the alert was closed and then reopens, at the next update of the alert and the filter is matched, the rule is applied. Thereafter, when there is an update of the alert, the rule is no longer applied.
    • Alert matches filter–the content of the alert matches the filter. On following update of the alert and if the filter is matched, the rule runs and is applied to the alert. The rule remains applied for every matching update.
    Alert filter
    Preview Function to preview alerts that match the specified condition. A hyperlink shows how many alerts match the filter. Alert Preview filter

    If you click the hyperlink, the browser opens another tab that lists alerts in the Alerts [em_alert_list] table. The list shows which alerts match the rule, including closed alerts. Alerts that have already been run by the rule are not marked in any way. You can click any alert to view further details.

    Conditions Conditions that, if fulfilled, cause the filter to be applied. For more information about building conditions, see Using the condition builder .

    To add another condition, click New Criteria.

    Related List Conditions Conditions to include a relationship with another table in the filter.
    1. Click Table and select the required table.
    2. Specify the conditions for this filter.
    For more information about creating related lists, see Add related list conditions.
  6. Click Actions.
    In this section, you can configure these action types as a response to alerts or to remediate alerts:
    • Remediation Subflows–Execute a subflow provided with the base system.
    • Remediation Workflows–Execute a workflow that you previously published.
    • Launch Applications–Open applications and browsers that you configure.
  7. (Optional) In the Remediation Subflows area, to add subflows:
    1. Under Subflow, double-click the cell.
    2. Click the search icon Look-up icon.
      The list of subflows provided with the base system appears. For more information, see Event Management subflows provided.
    3. From the subflow list, select a subflow.
    4. Repeat, adding as many subflows as required.

      Remediation workflow example

    5. If you want to specify when the subflow must be executed, under Execution, double-click the cell.
      Table 4. Subflow execution options
      Name Description
      Automatic The subflow is executed automatically when the rule is matched.
      Manual Execute the subflow if required when the rule is matched.
      Both When the rule is matched, the subflow is executed automatically and you can optionally execute the subflow again manually.
    6. Under Automatic executions limit, double-click the cell and enter the required integer.
      Use this field to configure how many times the subflow is executed.
    7. If you want to enable the subflow to be executed, under Active, double-click the cell and select true.
      A link in the cell under Link to Flow Designer appears only after a subflow has been selected and the rule has been saved.

      Link to subflow

  8. To add remediation workflows, in the Remediation Workflows area:
    1. Double-click the cell under Workflow.
    2. Click the search icon Look-up icon.
    3. From the list, click a workflow that was previously published.
    4. To specify when the workflow is executed, double-click the cell under Execution.
      Table 5. Workflow execution options
      Name Description
      Automatic The subflow is executed when the rule is matched.
      Manual When to execute the subflow when the rule is matched. For example, you can run the remediation from the Quick Response option. For more information, see Apply a quick response in an alert.
      Both When the rule is matched, the subflow is executed automatically and you can optionally execute the subflow again manually.
    5. (Optional) Double-click the cell under Automatic executions limit and enter the required integer.
      Use the Automatic executions limit field to configure how many times the workflow is executed. This value sets the maximum number of executions of the workflow as long as the alert is open. The counter is reset when the alert is closed.
    6. (Optional) To enable the workflow to be executed, double-click the cell under Active and select true.
      For information about how to create a workflow, see Create a workflow.
  9. To add instructions to launch applications or to open browser windows, in the Launch Applications area:
    Any URL-based action can utilize the alert parameters and the URLs can refer to wikis, messaging services, REST APIs, and so on.
    1. Under Display Name, double-click the cell.
      Specify a name for the link.
    2. In the URL field, compose the URL using data from the alert in the format:http://${source}.com:${port}/${cmdb_ci.name}
      The Active field is automatically updated.
  10. Click Submit.

Result

The alert management rule that was created is added to the list of available rules that can be used to resolve alerts.
Feedback