Correltion of Events

Question

Hello,
In order to explain my concern, let me give you a concrete example.
A NIC card is down in a device , then based on an alert rule, an event is sent to Azure Monitor
This event (NIC card down) is registered with a specific Event data ID in Azure monitor.
The Event Data ID is also sent to ServiceNow platform.
When the NIC card is up in the device, another alert rule generates an event and another Event data ID is created in Azure Monitor and sent to ServiceNow.
But ServiceNow is not able to make a correlation between the two events (NIC down & NIC up) because the Event data ID are different.
So, the events are not cleared in ServiceNow and the tickets in ServiceNow remain opened although the issue has been solved.

Questions:
Is there a way in Azure Monitor to correlate the two events (NIC down & NIC up) and then forward the information to ServiceNow (issue solved)?
Or perhaps, is there another way of working?
Or does it exist an option to automatically resolve alerts and provide the information to ServiceNow?

The final goal is that ServiceNow can clear the tickets received from Azure Monitor when the issue is solved.

Thanks
Regards

Answer 1

Hi @Calogero Quattrocchi ,

I believe this happens because you are making the correlation by using Event ID instead of NIC ResourceId.
Change the correlation logic and map the correlation to ResourceId (actually it's always unique per resource in Azure)

But anyway, you could always correlate the data in Azure Monitor in Log Analytics workspace by using KQL. But IMHO it's better to correlate the data in ServiceNow itself