It has been acknowledged in Orlando release from the following documentation, that there is an issue with secondary alerts intermittently creating incidents:

1) https://docs.servicenow.com/bundle/orlando-release-notes/page/release-notes/it-operations-management/event-management-rn.html

Under alert grouping functionality:

-> Avoiding creation of incidents for secondary alerts when an incident already exists for the primary alert and the alert management job runs before the alert grouping job is complete.

2) https://docs.servicenow.com/bundle/orlando-it-operations-management/page/product/event-management/concept/c_EMEventCorrelationRules.html

-> The alert management job runs even if the alert grouping job is not complete, if a specified time frame has passed. When this occurs, you can enable the Avoid INTs on secondary alerts rule to prevent incidents from being created for secondary alerts (when the evt_mgmt.avoid_int_enabled property is enabled), since an incident already exists for the primary alert.

- Having a filter on the alert management rule to filter out secondary alerts i.e. group (group_source) !=5
would not make a difference

Not applicable

1. Create an Alert Management rule that is executed under the following conditions:

When an alert has an associated incident AND it’s changed to a secondary, a sub-flow will be executed.

2. Create a sub-flow to “re-parent” the secondary alert associated incident. The incident will be defined as a child-incident of the primary alert associated incident.

3. Sub-flow and action definition:

 a. Create a new action named Reparent 

  i. Action inputs

  ii. Update record step

 b. Create a new sub-flow named Reparent incident of secondary alert

  i. Sub-flow inputs

 a. Sub-flow step (1), retrieve incident record of primary alert:

 b. Sub-flow step (2), retrieve incident record of secondary alert:

 c. Sub-flow (3), trigger the Reparent actions with the following inputs:

4. The following enhancement can be considered:

 a. Add worknotes on the Alert and Incident record to audit the “reparenting” action

 b. Add a wait step before the execution of step 1. Due to potential delay in the incident creation of the primary alert, it’s recommended to add a 1 minute wait step to make sure there’s no race condition.