email regex


(Scott Braunstein) #1

Good afternoon,
I am trying to get regex filters working for the email integration. I am not sure what I am doing wrong so was hoping someone could point me in the right direction. I am trying to open an close a INC based on the status email of ServiceNow.

I have Open and Resolve alerts based on custom rules
Trigger an alert if ALL conditions apply
Email Body contains : (Priority: 4 - Normal)
Subject Contains (radio)

As a test I sent an email that does not meet any of those conditions and an alert is triggered.

Additionally I want to link a resolve email to the INC number in the subject line which also doesnt seem to be working. I took the regex into the webtester and it finds the keys no problems.

Any thoughts?


(Thomas Roach) #3

It sounds like a rule is being matched if an incident is being created – would you mind posting the email you sent that triggered an email, but shouldn’t have?

As for resolving an incident via these rules, I wanted to first confirm you’ve taken a read of our Knowledge Base article on this subject. Do let me know if you have performed these steps, and if so, your specific rules.


(Scott Braunstein) #4

Sorry for the delay in response its been a crazy week here in the office. I have read thought the KB, but Ill be frank that Regex is new for me.

I tried changing it up a little to see if I could make it work so here is the current config I have:

Rule 1: resolve if all condition apply:
Subject matches expression ([\s\S])(app-global-MEO-Bristol)+([\s\S])

Subject matches expression .+(Bristol).+((affected by) (INC[0-9][0-9][0-9][0-9][0-9][0-9][0-9]) [1-4].+ (Resolved).+app-global-MEO-Bristol).+

Incident key (INC[0-9][0-9][0-9][0-9][0-9][0-9][0-9])

Rule 2: trigger if all condition apply:
Subject matches expression ([\s\S])(app-global-MEO-Bristol)+([\s\S])

Subject matches expression .+(Bristol).+((affected by) (INC[0-9][0-9][0-9][0-9][0-9][0-9][0-9]) [1-4].+ (Assigned).+app-global-MEO-Bristol).+

Incident key (INC[0-9][0-9][0-9][0-9][0-9][0-9][0-9])

Email subject lines are :

[could be anything]-Bristol affected by INC[#######] 4 - Normal | Assigned | app-global-MEO-Bristol | test please ignore


(Thomas Roach) #5

A tool we like to use to check RegEx is Rubular. I checked your rules against your test subject and ([\s\S]*)(app-global-MEO-Bristol)+([\s\S]*) picked up the whole subject, but both your Resolved and Assigned rules didn’t pick up any of it – this is due to the subject having square brackets around the numbers which wasn’t accounted for in the RegEx – you can use this instead: .+(Bristol).+((affected by) (INC\[[0-9][0-9][0-9][0-9][0-9][0-9][0-9]\]) [1-4].+ (Assigned).+app-global-MEO-Bristol).+. I also noticed that your first rule is set to trigger, but should be resolve if you’d like it to automatically resolve an incident (if you’d like it to only append the event to an open incident but not resolve it, then you can leave it as trigger).