Advanced ServiceNow Configuration - Advanced Creation Rules
The Advanced tab under Creation Rules provides you with a number of options for Alert processing after an Incident or Task has been created.
Correlate Server Down Alerts
When this option is enabled, alerts raised after a ‘Server down' alert such as ‘Heath Service Heartbeat Failure’ or 'Failed to Connect to Computer’ are assigned to the Incident linked to the relevant active alert. This prevents any additional alerts from raising Incidents / Tasks when the likely cause is already being looked at.
Additional scenarios are possible and would be supported using Post Processing.
(Video) Server Down Correlation Explained (15 Mins)
Alert Closed Incident State
This option automatically sets the state of an Incident when an alert is closed in SCOM. For example, you may wish to set your Incident to the ‘Resolved’ state. When using the Alert Sync service account as the caller you do not usually need to do anything other than set the desired state to enable this functionality.
In customized ServiceNow instances or if using an alternate caller you may need to create or adjust your ServiceNow ‘Data Policy’ to allow these Incidents to be closed. We have further reading on this topic here.
Advanced Alert Updates
If you wish to adjust how Bidirectional Sync updates alerts in SCOM, enabling 'Advanced Alert Updates' allows you to customize this feature using JavaScript. It will run whenever SCOM requests updates on an Incident and allows you to populate custom fields with new data or make adjustments to existing data. Advanced Alert Updates includes an example script baked into the product to give you an idea of what it is capable of and how to use the feature.
Unlike Post-Processing, Advanced Alert Updates overrides the default configuration. For example you will need to define your own alert closure criteria and set the resolution state to 255 yourself.
Example Script (Default)
This script is the one shown initially when enabling Advanced Alert Updates. It replicates what happens in Bidirectional Sync by default. It has all the custom fields set out and ready for assignment so you can simply uncomment and assign the required data.
(function updatescomAlert(incidentRecord, scomAlertRecord, scomAlertUpdatePayload) {
// The incident connected to this alert is available as incidentRecord
// The SCOM alert is available as scomAlertRecord
// The alertUpdates object is available to update any SCOM properties
// The alertId is used to link this to the alert in SCOM, don't change this unless you know what you're doing
// TYPE: string
scomAlertUpdatePayload.AlertId = scomAlertRecord.alertid.toString();
// TYPE: string
scomAlertUpdatePayload.TicketId = incidentRecord.number.toString();
// TYPE: string
scomAlertUpdatePayload.CustomField1 = incidentRecord.assignment_group.getDisplayValue();
// TYPE: string
scomAlertUpdatePayload.CustomField2 = incidentRecord.business_service.getDisplayValue();
// TYPE: string
scomAlertUpdatePayload.CustomField3 = incidentRecord.cmdb_ci.getDisplayValue();
// TYPE: string
scomAlertUpdatePayload.CustomField4 = incidentRecord.state.getDisplayValue();
// TYPE: string
// scomAlertUpdatePayload.CustomField5 = "Custom field data"
// TYPE: string
// scomAlertUpdatePayload.CustomField6 = "Custom field data"
// TYPE: string
// scomAlertUpdatePayload.CustomField7 = "Custom field data"
// TYPE: string
// scomAlertUpdatePayload.CustomField8 = "Custom field data"
// TYPE: string
// scomAlertUpdatePayload.CustomField9 = "Custom field data"
// TYPE: string
// scomAlertUpdatePayload.CustomField10 = "Custom field data"
// TYPE: string
scomAlertUpdatePayload.Owner = incidentRecord.assigned_to.getDisplayValue();
// TYPE: int
// if(scomAlertRecord.resolutionstate != 255){
// scomAlertUpdatePayload.ResolutionState = 254;
//}
})(incidentRecord, scomAlertRecord, scomAlertUpdatePayload);
Advanced Incident / Task Updates
If you wish to adjust how to update a created Incident or Task, based on new updates from the SCOM alert, enabling ‘Advanced Incident / Task Updates' will allow you to do this using JavaScript. It will run whenever SCOM changes an alert record. 'Advanced Incident / Task Updates’ comes with an example script baked into the product to give you an idea of what it is capable of and how to use the feature.
Unlike Post-Processing, Advanced Incident/Task Updates overrides the default configuration. Any changes made here override the defaults.
Example Script (Default)
This script is the one shown initially when enabling ‘Advanced Incident / Task Updates'. It replicates what happens in ‘Alert Closed Incident State’ by default. If your Service Now data policy precludes you from using the simple 'Alert Closed Incident State’ feature for example you could use this feature to shape these updates to fit your use case.
(function updateServiceNowIncident(incidentRecord, scomAlertRecord) {
// The incident connected to this alert is available as incidentRecord
// The SCOM alert is available as scomAlertRecord
// If you make modifications to the incident that you would like to save
// you will need to incidentRecord.update('my update notes')
// if the SCOM alert is closed, resolve the incident with a note
if(scomAlertRecord.resolutionstate == 255){
// update the incident to resolved
incidentRecord.state = 6;
// add a note in the activity
incidentRecord.work_notes = "This alert has resolved in SCOM.";
incidentRecord.update('The alert has closed in SCOM');
}
})(incidentRecord, scomAlertRecord);