You can configure Event Management to respond to alerts automatically. An alert management rule determines the required alert response, such as to open an incident, knowledge base article, open a task, launch remediation action.

Alert management rules provided with the base system as a store application (Alert Rules Management [sn_em_arm]) to help you respond to alerts. You can create filters to specify conditions for the rule so that the remedial action specified in the rule takes effect only when the conditions are met. For example, launch the required subflow or open an incident based on an alert. The alert's execution history is automatically updated to indicate the actions that were invoked.

Users with the evt_mgmt_admin role can use the alert management rule designer to create and customize alert management rules to act on specified alerts. Define rules with filters to determine which alerts the rule applies to. You can create rules to launch applications, URLs, subflows, remediation actions, or take other actions, such as to open an incident. For more information, see Create an alert management rule.

Users with the evt_mgmt_operator role can manually run alert management rules.

Alert management rule flow

The flow to create and run an alert management rule is:

Alert Management workflow

Table 1. Alert management rule components
Component Description
Alert Info Configure a name and general information for the rule.
Alert Filter Specify a filter to determine to which alerts the rule applies. You can specify the related list conditions.
Actions Specify the response to the alert, such as to run a subflow, perform remediation action, launch an application, or launch a URL in a browser.

How rules are applied to updated alerts

Alert management rules run on all updated open alerts. Rules don’t run on closed alerts, even if they’ve been updated. The filters determine whether the rule's actions apply to the alert. For example, if a rule's condition indicates that an email message is sent when the alert severity changes to Major, the rule applies to an alert updated by a severity change from Warning to Major.

Use of filters and other actions

Filters ensure that the rule is invoked only when the configured condition occurs, and not for every update of the alert. For example, you can configure a rule so that updates that aren’t relevant (such as a Work notes field update) don’t cause the rule to run. As another example, a filter condition can specify that the alert management rule runs only when the alert severity is critical.

You can perform the following actions:

  • Specify a filter that determines which alerts the rule applies to.
  • In the Related List Conditions section of the form, configure additional conditions, for example, with an Alert > Parent relationship, to filter for any alerts that were received today.
  • Respond to alerts. For example, by using subflows and workflows, create incidents for primary alerts with critical severity, or open a search engine in a browser to search for data according to the description field of the alert.
  • Apply remediation. Remediation is based on Orchestration workflows that can be scripted to perform remediation tasks such as gathering system information or rebooting a server.
    Note: For enhanced performance of Event Management - Evaluate Scoped Alert Rules Management scheduled jobs, use subflows instead of workflows.

Scheduled jobs that check alert management rules

Alert management rules are checked every 11 seconds by the default Event Management - Evaluate Scoped Alert Rules Management0 scheduled job. The job then executes the required actions. For large-scale environments, you can add more than one job. Please contact Customer Service and Support.
Note: Only new users from Vancouver and up get two scheduled jobs: Event Management - Evaluate Scoped Alert Rules Management0 and Event Management - Evaluate Scoped Alert Rules Management1. Users upgrading from previous family releases remain with a single scheduled job Event Management - Evaluate Scoped Alert Rules Management0.

Don’t modify the sn_em_arm.alert_management.num_of_jobs property.

By default, the alert grouping job (Service Analytics group alerts using RCA/Alert Aggregation) and the alert management (Event Management - Evaluate Scoped Alert Rules Management0) jobs run independently of each other. For more information about coordinating the alert response and the automated alert grouping, see Synchronizing Alert Response with Automated Alert Grouping.

Migrate existing alert action rules

Existing alert action rules from an earlier release can be migrated to become alert management rules. You can modify an alert action rule only after migrating it to an alert management rule. For more information, see Migrate an alert action rule to an alert management rule.