DescriptionSometimes you want to fire automation not only on a new alert being created but also on an existing alert that has changed. Changes such as a severity change where the alert has been escalated from a minor severity to a major or critical severity. Originally when created as a minor severity no automation was required but now it's been escalated and the problem has persisted or got worse then automation now needs to kick in.
Changed Alert CriteriaSo what constitutes a changed alert? Basically any field - internal or custom that changes in an alert once it has been created is deemed to be an alert change and will therefore be subject to selectors defined against an automation type of 'N - Run on New Alerts' or 'C - Run on Changed Alerts'
BewareOne of the major considerations when defining automation against a changed alert is that as a result the automation may cause the instigating alert to be updated again and potentially cause an indefinite loop. Using the previous example automation on an alert has been triggered by a severity escalation to Critical and that automation creates a Trouble Ticket reference which is subsequently added to the originating alert. The addition of the trouble ticket reference to the originating alert will cause the alert to be changed again which could then fire the automation again to create another trouble ticket and so on....
You should therefore ensure that the selection criteria condition that triggers the automation is defined to protect against such a indefinite loop. Again using the same example the 'Selector' would be defined to only run on a changed alert when the incidentId, or field being populated with the trouble ticket reference is blank or null.
Setting UpSo here is how to set things up in BES within the 'Active Alert Display (AAD)' of the 'Business Service Dashboard (BSD)'. This process assumes a reasonable knowledge of BES and the BSD and you can also refer to the relevant documentation here
- Create a selector via the AAD paying particular attention to the 'Beware' section above. Once created you can easily see which active alerts are currently matching the selector
- Create the automation definition
- Manually fire the automation definition against an alert using the selector defined in 1. Does the alert get updated as a result - Check the AlertHistory for changes? If the alert is updated and still appears in the selector then you will need to change the selector to provide additional criteria so the alert is excluded from the selector after the automation has run and the alert updated.
- Once the selector and automation are configured corrected create an 'Automation' to link the selector with the Automation based on a type of 'C' or 'B