Post Processing

Post Processing is a feature of Creation Rules that allows for incredible flexibility when creating Incidents or Tasks. If the criteria driven Creation Rules are not enough for your use case, Alert Sync can do almost anything to a newly created Task or Incident using Post Processing and JavaScript.

Enabling Post Processing for a Creation Rule

To use Post Processing select the Post Processing checkbox. When checked, you will be provided with a script field where you can flesh out your more complex use cases. Post Processing includes an example script baked into the product to give you an idea of what it is capable of and how to use the feature.

Variables and Their Use

Post Processing provides you with two variables. scomAlertRecord and createTask which provide you with the current alert being processed and the basic new task record created by the Creation Rule respectively. The new task record contains all the details set previously in the Creation Rule UI to allow you to jump straight into customization for your use case. Either of these objects can be updated in the script so you can add to the alert history or change the linked incident (as in the re-opening example below).

This does also mean that you can update or overwrite other alert properties which can be detrimental

To abort creation of a new Task / Incident entirely set the createTask cancelCreation property to true as shown in the Re-opening example later.

scomAlertRecord Properties

Property

Equivalent SCOM Alert Property

Additional notes

alertid

Id

alert_activity

N/A

Any alert history events. An example exists under the Reopening an Incident example below.

category

Category

context

Context

customfield1

CustomField1

Dependent on BiDirectional Sync and/or Advanced Updates

customfield10

CustomField10

customfield2

CustomField2

Dependent on BiDirectional Sync and/or Advanced Updates

customfield3

CustomField3

Dependent on BiDirectional Sync and/or Advanced Updates

customfield4

CustomField4

Dependent on BiDirectional Sync and/or Advanced Updates

customfield5

CustomField5

Dependent on BiDirectional Sync and/or Advanced Updates

customfield6

CustomField6

customfield7

CustomField7

customfield8

CustomField8

customfield9

CustomField9

description

Description

hasscomupdate

N/A

Indicates to AlertSync that there is an update to sync back to SCOM

incident

TicketId

Dependent on BiDirectional Sync and/or Advanced Updates

incident_creation_rule

N/A

This is the Creation rule that the alert has matched against.

ismonitoralert

IsMonitorAlert

lastmodified

LastModified

managementgroup

ManagementGroup

managementpackdisplayname

N/A

Drawn from underlying workflow

managementpackname

N/A

Drawn from underlying workflow

monitoringobjectdisplayname

MonitoringObjectDisplayName

monitoringobjectfullname

MonitoringObjectFullName

monitoringobjectid

MonitoringObjectId

monitoringobjectinmaintenancemode

MonitoringObjectInMaintenanceMode

Not so useful on rule based alerts as going into maintenance mode usually closes the alert

monitoringobjectname

MonitoringObjectName

monitoringobjectparentids

N/A

Drawn from underlying object

monitoringobjectpath

MonitoringObjectPath

name

Name

netbioscomputername

NetbiosComputerName

owner

Owner

Dependent on BiDirectional Sync and/or Advanced Updates

parameters

Parameters

principalname

PrincipalName

priority

Priority

repeatcount

RepeatCount

resolutionstate

ResolutionState

resolutionstatename

N/A

severity

Severity

sitename

SiteName

sys_created_by

N/A

ServiceNow property detailing what account created the record (your service account)

sys_created_on

N/A

ServiceNow property detailing when the record was created (not to be confused with timeraised)

sys_id

N/A

ServiceNow unique record ID (a guid without the dashes)

sys_mod_count

N/A

ServiceNow property for modification count

sys_tags

N/A

Servicenow text labels for organisation purposes

sys_updated_by

N/A

ServiceNow property showing who last updated the record

sys_updated_on

N/A

ServiceNow property showing when the record was last updated

timeraised

TimeRaised

The time/datestamp related to the alert being raised in SCOM

timeresolved

TimeResolved

wait_completed

N/A

Used by AlertSync to indicate if the alert went through a wait rule successfully

workflowdisplayname

N/A

Drawn from underlying workflow

workflowname

N/A

Drawn from underlying workflow

createTask Properties

Property

UI label

Additional notes

active

Active

activity_due

Activity due

additional_assignee_list

Assitional assignee list

approval

Approval

approval_history

Approval history

Journal type

approval_set

Approval set

assigned_to

Assigned to

Reference to User (sys_user) table

assignment_group

Assignment group

Reference to Group (sys_user_group) table

business_duration

Business duration

business_service

Service

Reference to Service (cmdb_ci_service) table

calendar_duration

Duration

cancelCreation

N/A

Added temporarily and utilized only by creation rules.

closed_at

Closed

closed_by

Closed by

Reference to User (sys_user) table

close_notes

Close notes

cmdb_ci

Configuration item

Reference to Configuration Item (cmdb_ci) table

comments

Additional comments

Journal Input type

comments_and_work_notes

Comments and Work Notes

Journal List type (you probably want either the comments or work_notes properties)

company

Company

Reference to Company (core_company) table

contact_type

Contact type

contract

Contract

Reference to Contract (ast_contract) table

correlation_display

Correlation display

correlation_id

Correlation ID

delivery_plan

Delivery plan

Reference to Execution Plan (sc_cat_item_delivery_plan) table

delivery_task

Delivery task

Reference to Execution Plan Task (sc_cat_item_delivery_task) table

description

Description

due_date

Due date

escalation

Escalation

expected_start

Expected start

follow_up

Follow up

group_list

Group list

List type referencing Group (sys_user_group) table

impact

Impact

knowledge

Knowledge

location

Location

Reference to Location (cmn_location) table

made_sla

Made SLA

number

Number

The user friendly task/incident number

opened_at

Opened

opened_by

Opened by

Reference to User (sys_user) table

order

Order

parent

Parent

Reference to Task (task) table

priortity

Priority

Function of impact and urgency see default example

reassignment_count

Reassignment count

rejection_goto

Rejection goto

Reference to Task (task) table

route_reason

Route reason

service_offering

Service offereing

Reference to Service Offering (service_offering) table

short_description

Short description

sla_due

SLA due

state

State

sys_class_name

Task type

System Class Name type

sys_created_by

Created by

sys_created_on

Created

sys_domain

Domain

Domain ID type - Used with domain separation

sys_domain_path

Domain Path

Domain Path type - Used with domain separation

sys_id

Sys ID

Table key

sys_mod_count

Updates

sys_tags

N/A

sys_updated_by

Updated by

sys_updated_on

Updated

task_effective_number

Effective number

time_worked

Time worked

universal_request

Universal Request

Reference to Task (task) table

upon_approval

Upon approval

upon_reject

Upon reject

urgency

Urgenency

user_input

User input

watch_list

Watch list

List type referencing User (sys_user) table

wf_activity

Workflow activity

Reference to Workflow Activity (wf_activity) table

work_end

Actual end

work_notes

Work notes

Journal Input type

work_notes_list

Work notes list

List type referencing User (sys_user) table

work_start

Actual start

Example Script (Default)

This script is the one shown initially when enabling Post Processing. It updates a Tasks description based on multiple alert fields and then sets its Impact and Urgency based on the alerts Severity and Priority. This therefore also sets the Tasks priority as this is based on a Tasks Impact and Urgency.

(function postprocessing(scomAlertRecord, createdTask) {
    // Use the below code to further update your incident or task and customize the record created.
    // scomAlertRecord = the inbound SCOM alert from your Management Group, as detailed in the SCOM Alerts table
    // createdTask = the Incident or Task created from the first tab of your creation rule
    // createdTask.cancelCreation = a boolean indicating whether this task creation should be canceled

    // Update the description to be the alert name and the server name
    createdTask.description = scomAlertRecord.name + 'on server ' + scomAlertRecord.principalname;

    // Programatically setting Impact and Urgency
    var scomPriority = scomAlertRecord.getValue('priority');
    var scomSeverity = scomAlertRecord.getValue('severity');
    if (scomSeverity == 'Error') {
        if (scomPriority == 'High') {
            createdTask.impact = 1;
            createdTask.urgency = 2;
        } else {
            createdTask.impact = 2;
            createdTask.urgency = 2;
        }
    } else if (scomSeverity == 'Warning') {
        if (scomPriority == 'High') {
            createdTask.impact = 2;
            createdTask.urgency = 2;
        } else {
            createdTask.impact = 2;
            createdTask.urgency = 3;
        }
    } else if (scomSeverity == 'Information') {
        createdTask.impact = 3;
        createdTask.urgency = 3;
    }


})(scomAlertRecord, createdTask);

Example Script (Re-open existing task/incident)

This script demonstrates how to re-open a previously resolved Task/Incident that matches our alert and then abort the creation of a new one. It updates a Tasks short description to make it more specific and then searches for resolved tasks that match. If it finds them it puts them to an 'In Progress' state and then links them to our alert and aborts the creation of a new record for the alert.

(function postprocessing(scomAlertRecord, createdTask) {
	// Use the below code to further update your incident or task and customize the record created.
	// scomAlertRecord = the inbound SCOM alert from your Management Group, as detailed in the SCOM Alerts table
	// createdTask = the Incident or Task created from the first tab of your creation rule
	// createdTask.cancelCreation = a boolean indicating whether this task creation should be canceled

	// ---------------------------------------------
	// Re-opening existing task/incident example script
	// ---------------------------------------------

	//Figure out what table we are using for this creation rule
	var Table = createdTask.getTableName();
	
	// Create a GlideRecord object which we'll use for searches
	var gr = new GlideRecord(Table);
	
	// ------------------------------------------------------------------
	// Configure the incident values, combinding some SCOM properties
	// ------------------------------------------------------------------
	
	// We will append the object name to the short description for user convinence
	createdTask.short_description = scomAlertRecord.name + ' - ' + scomAlertRecord.monitoringobjectfullname;
    
	// Short description must match and state must be 6 (Resolved)
	gr.addQuery('short_description', createdTask.short_description);
	gr.addQuery('state', 6);
 
	// Execute the query and proceed to check for results 
	gr.query();
	
	// ------------------------------------------------------------------
	// Create or update a task based on the search results
	// ------------------------------------------------------------------
 
	if (gr.next()) {
		// Existing record found, change the status to In Progress
		gr.state = 2;
		gr.work_notes = 'Re-opened from SCOM Alert';
		gr.update('Re-opened from SCOM Alert');
 
		// Store the existing record to our SCOM record
		scomAlertRecord.incident = gr.sys_id;
		
		// Add note to alert history tab to indicate what happened there as well
		scomAlertRecord.alert_activity = 'Found existing ' + Table + ' ' + gr.number;
		
		// Cancel the creation of new task as we have found an existing one that matches
		createdTask.cancelCreation = true;
 
    } else {
		// No matching incidents, continue with creation
    }
})(scomAlertRecord, createdTask);

Example Script (Link to web-page/dashboard)

This script demonstrates how to add work notes with links in them to a third party source. The link is built up using properties pushed up with the alert, so as long as the target is based around something pushed in the alert record you can build this up as you see fit. Examples might be linking to the SCOM web console or a third party SCOM dashboard should that be desirable (perhaps to quickly get at performance data). Similarly you could use this to link off to something like SharePoint, Confluence or an internal Wiki if there would be further context there. Finally if this is coming from something like an Azure, AWS, something that knows about IPMI, etc. you could potentially link directly to their portal using the monitoring object name or details in the alert context.

(function postprocessing(scomAlertRecord, createdTask) {
    // Use the below code to further update your incident or task and customize the record created.
    // scomAlertRecord = the inbound SCOM alert from your Management Group, as detailed in the SCOM Alerts table
    // createdTask = the Incident or Task created from the first tab of your creation rule
    // createdTask.cancelCreation = a boolean indicating whether this task creation should be canceled

	// ------------------------------------------------------------------
	// Linking to third party dashboarding example script
	// ------------------------------------------------------------------
	
	// Set a variable to build up the note in
	var Worknote;
	
	// Set our base addresses so we don't have to repeat ourselves 
	var Address = 'https://monitoring.domain.tld/drilldown';
	var AzurePortal = 'https://portal.azure.com#@domain.tld/resource';
	
	// Build up a link to the alert dipping into HTML where required
	// On click open it in a new window
	Worknote = 'Alert Dashboard: [code]<a href="' + Address + '/scomalert?id=' + scomAlertRecord.alertid.toString() + ' "target="_blank">' + scomAlertRecord.name.toString() + '</a>[/code]' + '\n';
	
	// Build up a link to the object dipping into HTML where required
	// On click open it in a new window
	Worknote = Worknote + 'Object Dashboard: [code]<a href="' + Address + '/scomobject?id=' + scomAlertRecord.monitoringobjectid.toString() + ' "target="_blank">' + scomAlertRecord.monitoringobjectdisplayname.toString() + '</a>[/code]' + '\n';
	
	// If this is from the Azure Management pack link directly to the portal
	// You would probably make checks like this from the Creation Rule filter 
	// However if there is an indicator in the alert context or CI you would probably make that check here instead
	if (scomAlertRecord.managementpackname == 'Microsoft.SystemCenter.MicrosoftAzure') {
		Worknote = Worknote + 'Azure Portal: [code]<a href="' + AzurePortal + scomAlertRecord.monitoringobjectname.toString() + ' "target="_blank">' + scomAlertRecord.monitoringobjectdisplayname.toString().split(' ')[0] + '</a>[/code]' + '\n';
	}
	
	// Assign the details built above to a worknote on the raised task
	createdTask.work_notes = Worknote;
	
})(scomAlertRecord, createdTask);

Example Script (Raise a problem on repeated alerts)

This script demonstrates one of the options for raising a problem automatically. We look up all instances of the alert on the object in the last 30 days (using a GlideSystem method) that generated a task/incident. If there are 4 or more existing records we need to make sure a problem exists. If there is an existing problem linked to the newest matching record we simply link to that one. If there is no problem on the newest incident we raise a new problem (assuming the required permissions are present) and link this problem to all records that don’t already have a problem.

(function postprocessing(scomAlertRecord, createdTask) {
    // Use the below code to further update your incident or task and customize the record created.
    // scomAlertRecord = the inbound SCOM alert from your Management Group, as detailed in the SCOM Alerts table
    // createdTask = the Incident or Task created from the first tab of your creation rule
	
	var grAlert = new GlideRecord("x_oklt_cookdown_sc_scom_alerts");
	
	// Find alerts from the last 30 days
	grAlert.addQuery('timeraised', '>=' ,gs.beginningOfLast30Days());
	
	// With the same Object ID
	grAlert.addQuery('monitoringobjectid',scomAlertRecord.monitoringobjectid);
	
	// With the same Rule/Monitor
	grAlert.addQuery('workflowname',scomAlertRecord.workflowname);
	
	// Where a task/incident was raised
	grAlert.addNotNullQuery('incident');
	
	// Put the first record rasied first
	grAlert.orderByDesc('timeraised');
	
	// Execute Query
	grAlert.query();
	grAlert.next();
	
	// We assume here that if the newest Task/Incident doesn't have a problem that none of them do
	// You may need additional logic here if this does not fit your scenario
	
	if ((grAlert.getRowCount() >= 4) && (grAlert.incident.getRefRecord().problem_id != '')) {
		// If this is the 5th (or greater) ticket and there is an existing problem
		
		//Log the scenario (pulling details from linked records)
		scomAlertRecord.alert_activity = "Found " + grAlert.getRowCount().toString() + " matching records and an existing problem: " + grAlert.incident.getRefRecord().problem_id.getRefRecord().number;
		
		// We have previously raised a problem, link it to the new Incident/Task
		createdTask.problem_id = grAlert.incident.getRefRecord().problem_id;
		
	} else if (grAlert.getRowCount() >= 4) {
		// If this is the 5th (or greater) ticket and there is no existing problem
		
		//Log the scenario
		scomAlertRecord.alert_activity = "Found " + grAlert.getRowCount().toString() + " matching records and no existing problem";

		// Start work against the problem table
		var grPrb = new GlideRecord("problem");
		
		// Start the new record
		grPrb.initialize();
		
		// Short description is mandatory 
		// You may wish to populate other fields, the createdTask properties can be a good reference point as they should line up
		grPrb.short_description = "Problem raised to deal with repeated " + scomAlertRecord.name + " alerts from " + scomAlertRecord.monitoringobjectdisplayname;
		
		// Set the first reported task to the incident raised by the first recorded SCOM alert
		grPrb.first_reported_by_task = grAlert.incident;
		
		// Insert the record and link the task
		createdTask.problem_id = grPrb.insert();
		
		// Log the created problem number
		scomAlertRecord.alert_activity = "Raised a new problem: " + grPrb.number;
		do {
			// Loop through each alert matching alert
			
			// Look up the incident
			var incident = grAlert.incident.getRefRecord();
			
			// If no existing problem, set the corresponding problem
			// Despite the assumtions earlier we don't want to clobber other problems if they exist
			if (! incident.problem_id) {
				// Set the problem
				incident.problem_id = createdTask.problem_id;
				
				// Update the incident
				incident.update();
			}

		} while (grAlert.next());
	}
	else {
		// Log the scenario
		scomAlertRecord.alert_activity = "Found " + grAlert.getRowCount().toString() + " matching records, not raising a problem";
	}
	
	// Finish and let the creation rule deal with creating the current incident
})(scomAlertRecord, createdTask);