Create an alert management rule

Release version: Australia

Updated March 12, 2026

7 minutes to read

Create an alert management rule to track alerts and resolve them by determining the required response, for example, to open an incident or launch remediation action.

Before you begin

To enable remediation with a subflow, you can use a subflow that is available with the base system, or you can create your own subflow. For details, see Create a custom subflow for alerts.

Role required: evt_mgmt_admin, flow_designer

About this task

Use alert management rules to track and resolve alerts.

To automate alert responses with an easier interface, you can also create a respond automation in Service Operations Workspace. For more information, see Create Respond automation.

While working in the alert management rule designer, you can work in multiple sections without losing information in any section.

Note:

Alert management rules that are not configured to perform any action are skipped and the rule is automatically set to inactive.
If an alert is bound to a CI by a user action (such as an alert management rule) and the CI is in the Maintenance state, you must manually bind the CI to the alert and mark it with the In Maintenance status.

Create alert management rules that:

Locate other alert management rules that have relevance to the selected alert.
Determine when the execution of the rule takes place.

Alert management rules do not necessarily complete in the order in which they are invoked.

You can configure alert management rules to:

Automatically generate and link incidents, tasks, or knowledge articles to alerts.
Automatically apply a remediation workflow or enable users to manually run remediation.
Automatically construct a URL according to the value of specified fields in the alert.

To assist you, several alert management rules are provided with the base system. You can use them as presented or you can use them as examples to build custom alert management rules.

Table 1. Alert management rules provided with the base system
Rule	Description	Active
Open sensor dashboard in PRTG	The sensor dashboard in the Paessler PRTG Network Monitor (PRTG) application opens.	Yes
Oracle EM Launch Target Status and View Events	Launch Oracle Enterprise Manager to view: Target Status Event for alerts from source Oracle EM	Yes
Drilldown to OMI	Drill down to the HP Operations Manager i (OMi) application.	Yes
Create Incident on Primary Critical Alert	Create an incident for primary critical alerts. The incident can be created automatically or manually.	No
Search Google for "description"	Open Google Search in a browser to search for data according to the description that appears in the alert.	Yes
Create Incident	Create an incident for all alerts that are not in maintenance state. The rule runs automatically on selective update.	No
Create Incident Manually	Manually create an incident for alerts that are not in maintenance state.	Yes
Create Major Incident Candidate	Create a major incident candidate for all alerts that are not in maintenance state and are not secondary alerts. A major incident candidate can be promoted to become a major incident.	No
Create Major Incident	Create a major incident for all alerts that are not in maintenance state and are not secondary alerts.	No

If your instance was upgraded from Kingston, the alert action rules that were provided with the Kingston base system are available to you. However, if you modified any of the rules, the changes made are not carried over.

Alert management rules run 5 seconds after an alert is updated, resetting the timer if updates occur within that window. This delay ensures remediation actions, such as incident creation, are triggered only when the issue is clear and stable, reducing duplicates and unnecessary noise. To change the default 5-second delay, create the evt_mgmt.alert_rule_delay property on the All > System Properties > All Properties and change the value. To know how to create a property, see Add a system property.

Procedure

Navigate to Event Management > Rules > Alert Management Rules.

Click New and then fill in the fields.

Table 2. Alert Management Rule form
Field	Description
Name	Unique name for the rule.
Active	Check box for enabling the rule. If this check box is selected, you must specify: in the Alert Filter section, an alert filter in the Actions section, at least one of any of these actions: active subflow workflow quick response
Order	Order in which rules are evaluated when multiple rules are defined for the same alert. Alert management rules are evaluated in ascending order. The default value is `100`.
Multiple alert rules	Instruction about whether to search for additional rules: Search for additional rules: Execute the current rule then continue and execute other matching rules in the order of rule priority, where the lower number has the higher priority. Stop search for additional rules: Execute only the current rule for the alert that matches the filter. When selecting this option, a rule configured second in a rule hierarchy may run before the results of the first rule take effect.
Description	Descriptive text for the rule.
Assignment group	Assignment group that works on the alert. If no assignment group is defined in the alert rule, then this alert rule is considered as a global rule. When the rules are running – first the global rules run and then the rules that belong to the assignment group of the alert.

Click Alert Filter and specify conditions for alerts that this rule is applied to.

Table 3. Alert Filter stage
Field	Description
Rule is activated when	Rule execution takes place when: Alert changes to filter–content changes to the alert cause the alert to match the filter. If the filter is matched on following update of the alert, the rule is not applied. If the alert was closed and then reopens, at the next update of the alert and the filter is matched, the rule is applied. Thereafter, when there is an update of the alert, the rule is no longer applied. Alert matches filter–the content of the alert matches the filter. On following update of the alert and if the filter is matched, the rule runs and is applied to the alert. The rule remains applied for every matching update.
Alert filter
Preview	Function to preview alerts that match the specified condition. A hyperlink shows how many alerts match the filter. If you click the hyperlink, the browser opens another tab that lists alerts in the Alerts [em_alert_list] table. The list shows which alerts match the rule, including closed alerts. Alerts that have already been run by the rule are not marked in any way. You can click any alert to view further details.
Conditions	Conditions that, if fulfilled, cause the filter to be applied. For more information about building conditions, see Using the condition builder. To add another condition, click New Criteria. Note: The Created on condition is not invoked when running the Event Management - Evaluate Alert Management Rules job. Instead, use the Updated on condition, as the job detects alerts based on the time they were updated and not on the time they were created.
Related List Conditions	Conditions to include a relationship with another table in the filter. Click Table and select the required table. Specify the conditions for this filter. For more information about creating related lists, see Add related list conditions.

Click Actions.
In this section, you can configure the following action types as a response to alerts or to remediate alerts:
- Remediation Subflows: Execute a subflow provided with the base system.
- Launch Applications: Open applications and browsers that you configure.
Note:
The Remediation Workflows option is deprecated. To enable flows to be triggered by alerts, use the Flow Designer.

Optional: In the Remediation Subflows section, follow these instructions to add subflows:

Under Subflow, double-click the cell.
Click the search icon .
The list of subflows provided with the base system appears. For more information, see Event Management subflows in the base system.
From the subflow list, select a subflow.
Repeat, adding as many subflows as required.

To specify when the subflow must be executed, double-click the cell under Execution.

Table 4. Subflow execution options
Name	Description
Automatic	The subflow is executed automatically when the rule is matched.
Manual	Execute the subflow if required when the rule is matched.
Both	When the rule is matched, the subflow is executed automatically and you can optionally execute the subflow again manually.

Under Automatic executions limit, double-click the cell and enter the integer number of times to execute the subflow.
After the subflow has been executed the indicated number of times, it does not run anymore.
To enable the subflow to be executed, double-click the cell under Active and select true.
A link in the cell under Link to Flow Designer appears only after a subflow has been selected and the rule has been saved.

To add instructions to launch applications or to open browser windows, in the Launch Applications area:
1. Under Display Name, double-click the cell.
  Specify a name for the link.
2. In the URL field, compose the URL using data from the alert in the format:http://${source}.com:${port}/${cmdb_ci.name}
  The Active field is automatically updated.
  Any URL-based action can utilize the alert parameters and the URLs can refer to wikis, messaging services, REST APIs, and so on.
Click Submit.

Result

The alert management rule is added to the list of available rules that can be used to resolve alerts.