groeimetai/event-management
packages/opencode/src/bundled-skills/event-management/SKILL.md
This skill should be used when the user asks to "create event", "event rule", "alert", "event correlation", "metric", "monitoring integration", "SNMP trap", or any ServiceNow Event Management development.
$ install --global
skillsauthnpx skillsauth add groeimetai/snow-flow event-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 7:52 AM5.7s1 file scanned
SKILL.md
- name:
- event-management
- description:
- This skill should be used when the user asks to "create event", "event rule", "alert", "event correlation", "metric", "monitoring integration", "SNMP trap", or any ServiceNow Event Management development.
- license:
- Apache-2.0
- compatibility:
- Designed for Snow-Code and ServiceNow development
- author:
- groeimetai
- version:
- 1.0.0
- category:
- servicenow
Event Management for ServiceNow
Event Management consolidates events from monitoring tools, correlates them, and creates actionable alerts.
Event Flow
Monitoring Tools (Nagios, SCOM, etc.)
↓
Events (em_event)
↓ Event Rules
Alerts (em_alert)
↓ Alert Management Rules
Incidents/Changes
Key Tables
| Table | Purpose |
| --------------------------- | ----------------------- |
| em_event | Raw events from sources |
| em_alert | Processed alerts |
| em_event_rule | Event processing rules |
| em_alert_correlation_rule | Alert correlation |
| em_connector | Event source connectors |
Events (ES5)
Create Event Programmatically
// Create event (ES5 ONLY!)
var event = new GlideRecord("em_event")
event.initialize()
// Required fields
event.setValue("source", "Custom Monitor")
event.setValue("node", "server01.example.com")
event.setValue("type", "CPU High")
event.setValue("severity", 3) // 1=Critical, 2=Major, 3=Minor, 4=Warning, 5=OK
// Event key for deduplication
event.setValue("event_class", "performance")
event.setValue("message_key", "cpu_high_server01")
// Description
event.setValue("description", "CPU usage exceeded 90% threshold")
event.setValue(
"additional_info",
JSON.stringify({
cpu_percent: 95,
process: "java",
duration: "5 minutes",
}),
)
// CI binding
event.setValue("cmdb_ci", getCISysId("server01"))
// Resource and metric
event.setValue("resource", "CPU")
event.setValue("metric_name", "cpu_usage")
event.insert()
Event via REST API
// Push event via REST (External script - ES5 ONLY!)
var request = {
records: [
{
source: "External Monitor",
node: "app-server-01",
type: "Application Error",
severity: "2",
message_key: "app_error_" + Date.now(),
description: "Application threw critical exception",
additional_info: '{"error_code": "E500", "module": "payment"}',
},
],
}
// POST to: /api/global/em/jsonv2
Event Rules (ES5)
Event Processing Rule
// Create event rule (ES5 ONLY!)
var rule = new GlideRecord("em_event_rule")
rule.initialize()
// Rule identification
rule.setValue("name", "High CPU Alert")
rule.setValue("description", "Create alert for high CPU events")
rule.setValue("order", 100)
rule.setValue("active", true)
// Event filter (which events to process)
rule.setValue("filter", "type=CPU High^severity<=3")
// Actions
rule.setValue("create_alert", true)
rule.setValue("alert_severity", 3)
// Transform settings
rule.setValue("transform_type", true)
rule.setValue("new_type", "Performance - CPU")
// CI binding
rule.setValue("ci_binding_type", "node")
rule.insert()
Event Rule Script (ES5)
// Event rule advanced script (ES5 ONLY!)
// Table: em_event_rule, field: script
;(function runRule(event, rule) {
// Get additional info
var addInfo = {}
try {
addInfo = JSON.parse(event.additional_info)
} catch (e) {
addInfo = {}
}
// Set severity based on CPU percentage
var cpuPercent = parseFloat(addInfo.cpu_percent) || 0
if (cpuPercent >= 95) {
event.severity = 1 // Critical
} else if (cpuPercent >= 90) {
event.severity = 2 // Major
} else if (cpuPercent >= 80) {
event.severity = 3 // Minor
}
// Enrich description
event.description = event.description + " (Current: " + cpuPercent + "%)"
// Set time to clear (auto-close if OK event not received)
event.u_time_to_clear = 900 // 15 minutes
return true // Continue processing
})(event, rule)
Alerts (ES5)
Alert Lifecycle
Open
↓ Acknowledge
Acknowledged
↓ Investigate
In Progress
↓ Resolution
Resolved
↓ Close
Closed
Flapping ← Multiple severity changes
Alert Management Rule
// Create alert management rule (ES5 ONLY!)
var amRule = new GlideRecord("em_alert_management_rule")
amRule.initialize()
amRule.setValue("name", "Auto-create Incident for Critical Alerts")
amRule.setValue("description", "Create P1 incident for critical alerts on production CIs")
amRule.setValue("order", 100)
amRule.setValue("active", true)
// Alert filter
amRule.setValue("filter", "severity=1^cmdb_ci.u_environment=production")
// Action: Create incident
amRule.setValue("create_incident", true)
amRule.setValue("incident_priority", 1)
amRule.setValue("incident_assignment_group", getGroupSysId("NOC"))
amRule.insert()
Manual Alert Processing (ES5)
// Process alert manually (ES5 ONLY!)
function acknowledgeAlert(alertSysId, notes) {
var alert = new GlideRecord("em_alert")
if (!alert.get(alertSysId)) {
return { success: false, message: "Alert not found" }
}
// Validate state
if (alert.getValue("state") !== "Open") {
return { success: false, message: "Alert is not in Open state" }
}
// Acknowledge
alert.setValue("state", "Acknowledged")
alert.setValue("acknowledged_by", gs.getUserID())
alert.setValue("acknowledged_at", new GlideDateTime())
// Add notes
if (notes) {
alert.work_notes = "Acknowledged: " + notes
}
alert.update()
return { success: true, number: alert.getValue("number") }
}
Alert Correlation (ES5)
Correlation Rule
// Create correlation rule (ES5 ONLY!)
var corrRule = new GlideRecord("em_alert_correlation_rule")
corrRule.initialize()
corrRule.setValue("name", "Server Down Correlation")
corrRule.setValue("description", "Correlate all alerts when a server goes down")
corrRule.setValue("active", true)
// Parent alert filter
corrRule.setValue("parent_filter", "type=Server Down^severity=1")
// Child alert filter
corrRule.setValue("child_filter", "cmdb_ci.u_hosted_on=javascript:parent.cmdb_ci")
// Correlation window
corrRule.setValue("time_window", 300) // 5 minutes
// Action
corrRule.setValue("set_child_severity", true)
corrRule.setValue("new_child_severity", 4) // Warning
corrRule.insert()
Custom Correlation Script (ES5)
// Alert correlation script (ES5 ONLY!)
// Correlate database alerts with application alerts
var AlertCorrelation = Class.create()
AlertCorrelation.prototype = {
initialize: function () {},
/**
* Find related alerts for correlation
*/
findRelatedAlerts: function (parentAlertSysId) {
var parent = new GlideRecord("em_alert")
if (!parent.get(parentAlertSysId)) {
return []
}
var relatedAlerts = []
var parentCI = parent.getValue("cmdb_ci")
var parentTime = new GlideDateTime(parent.getValue("sys_created_on"))
// Time window: 5 minutes before/after parent
var windowStart = new GlideDateTime(parentTime)
windowStart.addSeconds(-300)
var windowEnd = new GlideDateTime(parentTime)
windowEnd.addSeconds(300)
// Find alerts on dependent CIs
var dependents = this._getDependentCIs(parentCI)
var alert = new GlideRecord("em_alert")
alert.addQuery("cmdb_ci", "IN", dependents.join(","))
alert.addQuery("sys_created_on", ">=", windowStart)
alert.addQuery("sys_created_on", "<=", windowEnd)
alert.addQuery("sys_id", "!=", parentAlertSysId)
alert.addQuery("parent_alert", "") // Not already correlated
alert.query()
while (alert.next()) {
relatedAlerts.push({
sys_id: alert.getUniqueValue(),
number: alert.getValue("number"),
cmdb_ci: alert.cmdb_ci.getDisplayValue(),
severity: alert.getValue("severity"),
})
}
return relatedAlerts
},
_getDependentCIs: function (parentCISysId) {
var dependents = []
var rel = new GlideRecord("cmdb_rel_ci")
rel.addQuery("parent", parentCISysId)
rel.addQuery("type.name", "Depends on::Used by")
rel.query()
while (rel.next()) {
dependents.push(rel.getValue("child"))
}
return dependents
},
/**
* Correlate alerts under parent
*/
correlate: function (parentAlertSysId, childAlertSysIds) {
for (var i = 0; i < childAlertSysIds.length; i++) {
var child = new GlideRecord("em_alert")
if (child.get(childAlertSysIds[i])) {
child.setValue("parent_alert", parentAlertSysId)
child.work_notes = "Correlated with parent alert"
child.update()
}
}
},
type: "AlertCorrelation",
}
Metrics (ES5)
Create Metric Event
// Create metric event for threshold monitoring (ES5 ONLY!)
function createMetricEvent(ciSysId, metricName, value, thresholds) {
var severity = 5 // OK by default
// Determine severity based on thresholds
if (value >= thresholds.critical) {
severity = 1
} else if (value >= thresholds.major) {
severity = 2
} else if (value >= thresholds.minor) {
severity = 3
} else if (value >= thresholds.warning) {
severity = 4
}
// Only create event if not OK
if (severity < 5) {
var event = new GlideRecord("em_event")
event.initialize()
event.setValue("source", "Metric Monitor")
event.setValue("cmdb_ci", ciSysId)
event.setValue("type", metricName + " Threshold")
event.setValue("severity", severity)
event.setValue("metric_name", metricName)
event.setValue("message_key", metricName + "_" + ciSysId)
event.setValue("description", metricName + " is at " + value + " (Threshold: " + getThresholdName(severity) + ")")
event.insert()
}
return severity
}
function getThresholdName(severity) {
var names = { 1: "Critical", 2: "Major", 3: "Minor", 4: "Warning", 5: "OK" }
return names[severity]
}
MCP Tool Integration
Available Tools
| Tool | Purpose |
| --------------------------------- | ----------------------- |
| snow_query_table | Query events and alerts |
| snow_find_artifact | Find event rules |
| snow_execute_script_with_output | Test event scripts |
| snow_create_event | Trigger system events |
Example Workflow
// 1. Query open alerts
await snow_query_table({
table: "em_alert",
query: "state=Open^severity<=2",
fields: "number,description,cmdb_ci,severity,source",
})
// 2. Find unprocessed events
await snow_query_table({
table: "em_event",
query: "state=Ready",
fields: "source,node,type,severity,description",
})
// 3. Create test event
await snow_execute_script_with_output({
script: `
var event = new GlideRecord('em_event');
event.initialize();
event.source = 'Test';
event.type = 'Test Event';
event.severity = 4;
event.node = 'test-server';
gs.info('Created: ' + event.insert());
`,
})
Best Practices
- Event Deduplication - Use message_key properly
- CI Binding - Bind events to CIs for impact
- Severity Mapping - Consistent severity levels
- Correlation - Reduce alert noise
- Time Windows - Configure appropriate windows
- Auto-closure - Set time-to-clear for transient issues
- Monitoring - Track event processing health
- ES5 Only - No modern JavaScript syntax
Related Skills
groeimetai/workspace-builder
development
VerifiedTrustedCommunity
This skill should be used when the user asks to "App Engine Studio", "workspace builder", "custom workspace", "AES", "low code", "app development", "studio", or any ServiceNow App Engine Studio development.
58SKILL.mdUpdated Apr 5, 2026
groeimetai/widget-coherence
tools
VerifiedTrustedCommunity
This skill should be used when the user asks to "create a widget", "build a widget", "service portal widget", "sp_widget", "fix widget", "widget not working", "ng-click not working", or any Service Portal widget development.
58SKILL.mdUpdated Apr 5, 2026
groeimetai/virtual-agent
development
VerifiedTrustedCommunity
This skill should be used when the user asks to "create chatbot", "virtual agent", "VA topic", "NLU", "conversation", "chat flow", "topic block", or any ServiceNow Virtual Agent development.
58SKILL.mdUpdated Apr 5, 2026
groeimetai/vendor-management
development
VerifiedTrustedCommunity
This skill should be used when the user asks to "vendor", "supplier", "contract", "procurement", "SLA", "vendor risk", "vendor performance", or any ServiceNow Vendor Management development.
58SKILL.mdUpdated Apr 5, 2026