@sag5757 The following steps ensure a unique correlation ID is created every time a new alert is triggered: 1) Append this query into the search portion of the alert action: | eval unique_id= random() + now() 2) After that, navigate to Alert Action > Correlation ID > and put this for the value: $result.unique_id$ 3) Save the Alert Action. By having a new, unique Correlation ID each time, a new incident should be created. If you want to update the same incident, then make sure that the correlation ID which you are passing from Splunk should be same as ServiceNow ticket update works mainly with the correlation ID
... View more