DEX alert grouping

  • Release version: Washingtondc
  • Updated April 11, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of DEX Alert Grouping

    DEX alert grouping automatically consolidates multiple alerts triggered by the same metric rule. This feature streamlines alert management, allowing for quicker issue resolution by reducing the number of individual alerts users must address.

    Show full answer Show less

    Key Features

    • Alert Grouping: Alerts are grouped based on the same metric rule, displaying a total count of secondary alerts next to the primary alert.
    • Event Classification: Events with the DEX source are identified in the Events table, with alerts saved in the Alerts table when the event state is processed.
    • Correlation Rules: The DEX Metric Correlation Rule defines how and when alerts are grouped, ensuring only one alert is created for a metric rule per application.
    • Time-Based Grouping: Alerts are grouped by predefined time intervals, minimizing disruptions and improving resolution times as defined by the property sndex.alert.correlationrule.device.period.

    Key Outcomes

    By utilizing alert grouping, ServiceNow customers can expect:

    • Reduced alert management burden.
    • Faster identification and resolution of issues through consolidated alerts.
    • Improved efficiency in responding to alerts, particularly in high-volume scenarios.

    When resolving issues, closing the primary alert will also close all associated secondary alerts within the same group, further simplifying the response process.

    When several alerts are triggered from events governed by the same metric rule in DEX, the alert grouping mechanism automatically consolidates them. This reduces the need for users to manage individual alerts, streamlining their response process, and enabling faster issue resolution.

    When alerts are grouped together, you see the total count of secondary alerts grouped next to the primary alert number.

    Figure 1. Express list — Active alerts in groups
    Active alerts grouped in the Express list.

    DEX events and alerts representation

    In the Events table [em_event], any event with the Source field value as DEX is classified as a DEX event. For DEX, the Type field displays DEX Metric Rules as DEX alerts are generated based on DEX metric rules. When for any event, the State of the event is Processed, an alert is generated and saved in the Alerts table [em_alert].

    In the Alerts table [em_alert], select any alert to access its details. An alert that is created from a DEX event, displays the Source field value as DEX. The Metric name field value appears as either DEX App Metric or DEX Device Metric. For an alert, the Metric name field value is always DEX Device Metric. The Configuration item field shows the name of the corresponding application or device. For the alert whose corresponding Group field shows Rules-based, are the DEX alert groups.

    Rule for alert correlation

    In All > Event Management > Rules > Alert Correlation Rules, the DEX Metric Correlation Rule determines when alerts must be grouped and provides necessary details.
    Note:
    For one application and one metric rule, DEX creates only one alert. DEX creates alert groups when the metric rule is the same, regardless of whether the configuration items are the same or different. When the problem is resolved, closing the primary alert also closes the secondary alerts within the same group.

    Time-based alert grouping

    Time-based alert grouping automatically groups alerts according to predefined time intervals, which proves advantageous for services generating numerous alerts. Consolidated alerts result in fewer disruptions for responders and contribute to shorter resolution times.

    In the System Properties table [sys_properties], the property sn_dex.alert.correlation_rule.device.period defines the time period in seconds for grouping and correlating similar metric rule-based DEX alerts. In the Value field, you can enter the desired time duration in seconds. For example, to set a 5-minute gap between alert groupings, enter 300. Entering 0 disables the rule.

    Let's consider an example: Alert A1 is generated for rule R1 from device D1. After 2 minutes, alerts A2 and A3 are generated for the same rule R1, but from devices D2 and D3 respectively. Since A1 was the first alert, it's designated as the primary alert, and A2 and A3 are grouped as secondary alerts under A1.

    Now, suppose you've set the time duration to 300 seconds (5 minutes). If no alerts for rule R1 are generated within 5 minutes, and then after this period, alerts A4, A5, and A6 are generated for the same rule, a new group is formed. Alert A4 becomes the primary alert, and A5 and A6 are grouped under A4.

    However, if any alert is generated for rule R1 within 5 minutes, it's considered a secondary alert to A1 and grouped accordingly.