Forum Discussion

Cole_McDonald's avatar
Cole_McDonald
Icon for Professor rankProfessor
2 months ago
Solved

Duplicate Tickets Generated for Alert

We're getting duplicate tickets generated for each alert Host Status.  Can't quite figure out what is causing it.  Same Alert ID... When the alert closes... one ticket closes, the other doesn't.  I've seen this in the past with having separate alert rules for error vs. critical... The association in ##EXTERNALTICKETID## only respects the most recent ticket created per integration.

I've started at the dataSource's thresholds and made my way through the alert -> rule -> escalation -> integration... everything suggests it should only create one ticket per alert.

We have thresholds defined at the /Clients group level in most cases to make sure we're not touching the DS itself to make those changes so updating is easier.  I've verified that only Critical creates tickets there.

  • Mike_Moniz's avatar
    Mike_Moniz
    2 months ago

    What does the integration log show? It should show all the API requests being sent to your ticketing system. I would expected if it's sending multiple ACTIVE calls for example, it would show up there.

5 Replies

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    2 months ago

    Checking to see if there's a way to have CW take care of this.  We push the ticket title with the LMD# at the front.  Going to look for that within 5 minutes of another and auto-close the older of the two.  Ideally, If the API call timed out, LM would be able to cancel that request somehow rather than just abandoning it.

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    2 months ago

    It seems to be correlated fairly strongly.  Checking CW to see if I have access to those logs.

  • Mike_Moniz's avatar
    Mike_Moniz
    Icon for Professor rankProfessor
    2 months ago

    Do all the duplicates show retries? Perhaps the first attempt sent LM a failure code (like a 4xx or 5xx) or timed out responding but still created the ticket? Then the retry ended up caused it to generate a 2nd one? I know in the (far) past LM support was able to review their backend logs to see the specific integration traffic. Can you see requests on the ticketing side? Like does the ticketing see two ACTIVE requests coming from LM?

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    2 months ago

    Searching by ALert ID shows single entry, HTTP 201 response with 1 retry... no info about the retry.  Single External Ticket ID indicated.  Shows the second one created at 1:42, doesn't show the one at 1:40.

  • Mike_Moniz's avatar
    Mike_Moniz
    Icon for Professor rankProfessor
    2 months ago

    What does the integration log show? It should show all the API requests being sent to your ticketing system. I would expected if it's sending multiple ACTIVE calls for example, it would show up there.