How Health Log Analytics generates alerts

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of How Health Log Analytics generates alerts

    ServiceNow Health Log Analytics uses artificial intelligence to identify patterns and learn behavior in log data. It detects anomalies—unexpected deviations from baseline patterns—and sends events to the ServiceNow Event Management application. These predictive alerts help IT operators address emerging issues proactively before they impact users.

    Show full answer Show less

    How Alerts Are Generated

    Health Log Analytics employs several methods to detect and generate alerts based on log data:

    • Alert metrics: The system monitors various metrics tied to unique sources (combinations of service instance and component). When an anomalous pattern is detected for a metric, an alert is generated. Operators can provide feedback to mark alerts as significant or mute unimportant alerts, enabling the system to refine alert relevance.
    • Lexical keywords: Important keywords in logs are tracked against thresholds based on normal occurrence patterns. Alerts are generated when keyword frequency or patterns exceed these thresholds.
    • Correlations: Log correlators identify relationships by detecting common keys or values across multiple alerts, such as a network device interface appearing in simultaneous warnings across services.
    • Advanced alert filtering: Custom filters can be created to scan alerts for specific conditions, reducing noise by dropping less significant alerts. Filters can be tested, updated, published, and activated as needed.
    • Custom alert rules: Users can define alert rules with specified metrics and thresholds to generate alerts tailored to unique log data scenarios.

    Practical Benefits for ServiceNow Customers

    This alerting capability enables customers to:

    • Detect anomalous log behavior early through AI-driven pattern recognition.
    • Customize alert significance and mute irrelevant alerts to reduce noise.
    • Leverage keyword and correlation analysis to identify critical issues quickly.
    • Create tailored alert filters and rules to fit their specific operational needs.
    • Integrate alerts seamlessly with Event Management for timely remediation.

    ServiceNow Health Log Analytics identifies patterns in log data and learns pattern behavior. When its artificial intelligence engine detects anomalous behavior, it sends an event to the ServiceNow Event Management application. These predictive alerts enable operators to remediate emerging IT issues before they impact users.

    What is an anomaly

    There are many kinds of anomalous (abnormal or unexpected) behavior. In this example, the system tracks the baseline rate—the average number of events per minute—of particular messages. The chart shows the values for the previous day as the lightly peach-shaded area and the values for today as a blue line. The chart shows a dramatic deviation from the expected baseline values at around 10:10. This anomalous behavior generates an alert.

    Figure 1. Anomalous behavior

    Anomalous behavior at around 10:10.

    Anomaly seen as a spike in the rate of messages of a particular type.

    Health Log Analytics uses the following methods to generate alerts:

    Alert metrics

    Health Log Analytics monitors multiple metrics in the log stream to detect anomalous behavior. Each metric is associated with a unique source. A source is the combination of service instance and component. When the system identifies an anomalous pattern for a metric, it generates an alert.

    Operators can provide the following types of feedback about alerts to "teach" the application whether a specific alert is significant or it should be muted.
    • A significant alert is more likely to be included in a Log Analytics group when the associated metric behaves anomalously. For more information, see Mark an alert as significant
    • Mute an alert for a specified source to eliminate distracting new alerts for unimportant issues. For more information, see Mute an unimportant alert.
    • When the situation changes, you can return a significant metric to its default significance. You can also reactivate a muted metric to cause the system to start generating alerts again. For more information, see Restore a muted alert or a significant alert.

    Lexical keywords

    Lexical keywords can indicate important issues in log entries.

    The system sets a threshold for each lexical keyword. It bases the threshold on the normal occurrence pattern and frequency of the keyword. The system detects all occurrences of the keyword. When the pattern or frequency exceeds the threshold, the system generates an alert. For more information, see View the lexical keywords that generate alerts.

    Correlations

    Log correlators are keys or values in log data that detect correlations between alerts. For example, a log correlator could detect when the interface ID of a particular network device occurs simultaneously in multiple warnings across different service instances. For more information, see Using log correlators to detect relationships in log data.

    Advanced alert filtering

    Add advanced log alert filters to scan alerts for conditions that you specify. The filters reduce noise by dropping alerts that do not indicate a significant issue. While developing a filter, you can test, update, publish, or activate the filter at any time. For more information, see Create advanced log alert filters.

    Custom alert rules

    Define a Log Analytics alert rule when you encounter log data that should generate an alert. The alert rule generates an alert for a specified metric with a threshold that you specify and sets the properties of the generated alert. For more information, see Add a Log Analytics alert rule.