Customize Incident Fields With Alert Rule

 

ServiceNow’s Event Management helps our customers identify health issues across the datacenter through a single management console.  It provides intelligent event and alert analysis to ensure business service continuity.  Using ServiceNow Event Management, your IT Operators have a single place to view and manage alerts, improving operational efficiency through avoiding the use of multiple consoles from multiple monitoring tools.  One of my customers implemented ServiceNow Event Management to consolidate events from SNMP, SCOM, and other monitoring tools.  They use event rules to enrich the information in the alert record, as well as use alert rules to automatically open incidents and populate the incident records with additional information dynamically from the alert fields. 

 

My colleague, Tony Branton, had written a couple very good blogs on Become Awesome with Event Rules” and “Transform Your Way to Better AlertsSo in this article, I want to focus on extending alert rule to automatically open incident and enrich the incident fields using these methods:

 

  • Use task template to set the field values in incident record or
  • Use the EvtMgmtCustomIncidentPopulator script in script include. 

 

Using Task template to set static field value

 

1.     In this example I create a database incident template and select the fields I want to set the field value

Picture1.png

2.     Next, I create an alert rule that meets certain conditions.  In this example, if the alert has severity = critical and resource contains mssqlserver, then automatically open incident and set the value defined in the database incident template.

Picture2.png

 

3.     Now the incident record is populating with the static field values you defined in your database incident task template.

 

Picture3.png

 

Using EvtMgmtCustomIncidentPopulator script to dynamically set field values

 

My customer wants to set the incident priority field based on event severity.  To accomplish this task, I use the

EvtMgmtCustomIncidentPopulator in script include to meet their requirement.

 

1.     First, create an alert rule meeting the condition you want to auto open an incident.

    • Check the auto open and select type “incident”
    • Leave the type template blank

Picture1a.png

 

2.     Modify the EvtMgmtCustomIncidentPopulator in script include.

 

          Here’s the customer’s requirements for Priority:

    • if severity = critical then set priority = critical
    • if severity = major then set priority = High
    • if severity = minor then set priority = moderate
    • if severity = Warning then set priority = low
    • if severity = Info then set priority = Planning

 

          Because the Priority of an Incident is calculated from both the value of Impact and Urgency.  We need to use the “priority data lookups” table below to help get the correct result for the priority field.  Here are the possible combinations that produce the appropriate Priority

 

Picture2a.png

 

     To modify the EvtMgmtCustomerIncidentPopulator script go to

 

  • System UI -> Script Include -> (search for) EvtMgmtCustomIncidentPopulator.  Modify the code as follows.  (I am sure some of you can write a cleaner and better code than this example, but the following code does work)

 

     Open the record and update the code as follow.

 

                         var EvtMgmtCustomIncidentPopulator = Class.create();

                         EvtMgmtCustomIncidentPopulator.prototype = {

         initialize: function() {

          },

    type: 'EvtMgmtCustomIncidentPopulator'

};

EvtMgmtCustomIncidentPopulator.populateFieldsFromAlert = function(alert, task, rule){

if(alert.severity=='1')

{

                  task.impact = '1';

                  task.urgency = '1';

                  return true;

}

else { if(alert.severity=='2')

                  {

                  task.impact = '1';

                  task.urgency = '2';

                  return true;

                 }

else { if(alert.severity=='3')

                  {

                  task.impact = '2';

                  task.urgency = '2';

                  return true;

                  }

else { if(alert.severity=='4')

                  {

                  task .impact = '2';

                  task.urgency = '3';

                  return true;

                  }

else { if(alert.severity=='5')

                  {

                  task.impact = '3';

                  task.urgency = '3';

                  return true;

                  }

                  }

                  }

                  }

                  }

};

 

3.     Now the Priority of the incident record is populated dynamically based on the severity field from the Alert

 

Picture3a.png