Event Management tag based alert clustering definition form

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Event Management Tag Based Alert Clustering Definition Form

    The Tag Based Alert Clustering Definition form in ServiceNow Event Management allows you to create or modify definitions that group incoming alerts based on tags and filter conditions. This clustering helps manage related alerts efficiently by grouping them into alert groups for quicker identification and resolution.

    Show full answer Show less

    Key Features

    • Name: Unique identifier for the alert clustering definition.
    • Active: Option to activate or deactivate the definition; active by default.
    • Order: Determines the sequence in which definitions are evaluated against incoming alerts; lower values have higher priority.
    • Domain: Read-only field indicating the domain where the record was created.
    • Assignment Group: Specifies the group responsible for the alert. If undefined, the rule is considered global and runs before group-specific rules.
    • Description: Optional field to describe the alert clustering definition.
    • Filter: Defines conditions alerts must meet to be considered for clustering by tags. Alerts matching filters within the clustering timeframe are grouped if their tags correspond. Filters are case sensitive by default but can be configured otherwise.
    • Override Group Description: Allows customization of the default alert group description with a mandatory custom text.
    • Clustering Timeframe (minutes): Specifies the maximum allowable time between alerts to be grouped together (default 60 minutes, range 0-1440).
    • Tags M2M: Selects the alert clustering tags that assign alerts to this definition. Only alerts matching these tags and filter criteria are grouped.

    Practical Use for ServiceNow Customers

    This form enables customers to configure precise alert grouping rules that optimize alert management by clustering related alerts based on tags and time proximity. By defining filters and tags, customers can reduce alert noise, improve incident response efficiency, and ensure relevant teams are assigned to handle grouped alerts.

    Adjusting the order and activation status of definitions controls processing priority, while customizing group descriptions improves clarity in alert groups. The clustering timeframe setting helps control the temporal scope of alert grouping, ensuring timely and relevant alert associations.

    The form for creating or modifying a tag based alert clustering definition displays detailed information about the definition.

    Table 1. Tag based alert clustering definition form
    Field Description
    Name Name of the alert clustering definition.

    Definition names must be unique.
    Active Select to activate the definition. This option is selected by default.
    Order The order by which definitions are tested for incoming alerts. Those with lower Order values are tested first.

    When an alert matches one of the definitions' filters, it continues searching for more definitions.

    Default value = 1000
    Domain The domain in which the current record was created. Read-only.
    Assignment group Assignment group that works on the alert.

    If no assignment group is defined in the alert rule, then this alert rule is considered as a global rule.

    When the rules are running – first the global rules run and then the rules that belong to the assignment group of the alert.
    Description Enter an optional description of the alert clustering definition.
    Filter Set conditions that incoming alerts must meet to be measured by the alert clustering definition's tags. If the tags correspond to alerts that exist in the system and are within the Clustering timeframe (minutes) value, the incoming alerts join with the existing alerts to form an alert group.
    After configuring the filter, you can click the Preview button to view how many existing alerts match the filter's condition.
    Note:
    • Matching alerts are not automatically included together in an alert group. Alerts are grouped only if they have corresponding alert clustering tags.
    • Filter parameters are case sensitive by default. To disable case sensitivity, set the sa_analytics.correlation_case_sensitive parameter to false.
    • You can also configure alert fields to be excluded from the search, using the sn_em_tbac.tag_excluded_alert_fields property. By default, the following are excluded by this property:
      • type
      • event_class
    Override group description Default group descriptions begin with a “Group of alerts” prefix, followed by the description of the primary alert in the group. You may override this group description by selecting the Override group description check box. Then, in the Custom description field, type a description. This description is used as the description of the groups that are created by this alert clustering definition.
    Note:
    You cannot save the form if you left the Custom description field blank or with the default 'Group of alerts' text.
    Clustering timeframe (minutes) The maximum time, in minutes, allowed between alerts for the alerts to be grouped together. For example, a value of 60 indicates that an alert generated within 60 minutes of the most recent alert is included in the alert group. Any alert generated after this time is not included in the alert group.

    Default value = 60

    Permitted values = 0-1440
    Tag Based Alert Clustering Definitions Tags M2M Select the alert clustering tags to be assigned to the alert clustering definition. Alerts that meet the criteria specified in the selected tags are included in the alert group.

    The available options are the tags created on the Tag Based Alert Clustering Tags page.