That is certainly a tight edit window... Since I hit Send early on the original post, I'll post the full question here:
I am creating two alert dashboards for our Datacenter folks, Unhandled Events and Handled Events. The mechanism I am intending to use to move alerts from one dashboard to the other is the existence of a ticket ID from our integrated ticketing platform (ServiceNow) and/or a Note attached to the alert.
Our ticketing integration with ServiceNow is configured as a hybrid manual automation, if you will. We have an escalation chain that is two steps, the first one being blank and the second being to create the ticket. Using an Alert Rule, all alerts kick off this escalation, where it sits at step 1. Our Operators will then manually escalate any alert they want to create a ticket on, which then fires off step 2, the incident creation in ServiceNow.
Question 1: Is there any way to filter based on the step of an escalation chain being used for an alert? If so, I would use this to show or hide an alert, indicating it is already being managed. When I select the escalation chain in the filter, it always matches, because everything kicks off step 1. Being able to specify alerts at step 2 (or any specific step, really) would be very useful, but I can't find any documentation if this is possible.
Question 2: Is there a way to filter based on the partial content of the ##ExternalTicketID## field? If so, this could be used instead of the above option, and I could show/hide based on the existence of the "SN : INC" prefix on the logged ticket ID (in our environment, this field shows as "no data" or "SN : INC398202").
Question 3: Likewise, is there a way to filter on the existence of any content in the Notes field? Sometimes our Operators need to move tickets over to the "handled" dashboard even if they haven't created a ticket. In these instances, they could simply add a Note and have the alert move screens.
Thanks in advance!
