Log Analytics alerts in the Alerts in group tab

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Log Analytics alerts in the Alerts in group tab

    This documentation explains the details and columns displayed for Log Analytics alerts within a Log Analytics group on the Alerts in group tab in the Operator Workspace dashboard. These alerts help ServiceNow customers monitor anomalous patterns or metrics detected by the Health Log Analytics application.

    Show full answer Show less

    Key Features

    • Number: A unique identifier for each alert in the list, clickable to view detailed information on the Details tab.
    • Group: Specifies whether the alert is standalone or component-based within a group.
    • Description: Explains the anomalous pattern or metric that triggered the alert.
    • Severity: Indicates the impact level of the alert, ranging from Critical (immediate action needed) to Info (informational message). Clear or Resolved states mean no action is required.
    • Priority group: Categorizes alerts into Urgent, High, Moderate, or Low priority to guide resolution order, with priority taking precedence over severity.
    • State: Shows the processing status of the alert, such as Open, Reopen, Flapping (frequent identical events), or Closed (remediated).
    • Configuration item (CI): The CMDB item affected by the alert.
    • Node: Identifies the specific node (e.g., computer name, IP address) related to the event in the log message, often matching the CI.
    • Source: Always indicates "Log Analytics" for alerts generated by the Health Log Analytics app.
    • Metric name: The specific metric that exhibited anomalous behavior triggering the alert, such as a delayed I/O request.
    • Updated: Timestamp of the most recent update to the alert’s information or state.

    Key Outcomes

    By understanding these alert attributes, ServiceNow customers can efficiently prioritize and address issues detected by Log Analytics. The detailed fields enable clear identification of the problem source, severity, and urgency, facilitating timely remediation and improved operational health monitoring.

    The table describes the Log Analytics alerts in a Log Analytics group on the Alerts in group tab.

    Table 1. Alerts in group tab
    Column Description
    Number The number of the alert that appears in the list of alerts on the Operator Workspace dashboard.

    To view detailed information for an alert on the Details tab, click the alert number.

    This field is automatically set.
    Group Type of group that the alert belongs to: a standalone Log Analytics alert or a Component-based alert.
    Description Anomalous pattern or metric that caused the alert to be generated.
    Severity Severity value for the alert. The available values are:
    • Critical: Immediate action is required. Either the resource is not functional or critical problems are imminent.
    • Major: Major functionality is severely impaired or performance has degraded.
    • Minor: Either performance has degraded or there is a partial, non-critical loss of functionality.
    • Warning: Attention is required even though the resource is still functional.
    • Info: An informational message. An alert is created, but the resource is still functional.
    • Clear or Resolved: No action is required. An alert is not created from this event. Existing alerts are closed.
    Priority group Priority group that indicates the order in which to resolve alerts. Choices are as follows:
    • Urgent
    • High
    • Moderate
    • Low

    The priority group value is more important than severity alone. For example, a high priority and low severity alert should be addressed before a low priority and high severity alert. For information on how priority is calculated, see Alert priority.
    State Processing state of the alert. A newly generated alert is in the Open state. Other states are as follows:
    • Reopen: A previously closed alert is open again, and it requires your attention.
    • Flapping: The alert is receiving identical events from the same source at high frequency. This state can cause an alert to re-open from the Closed state, resulting in a high frequency of changes between Open and Closed states.
    • Closed: The alert is closed and does not require any further action. You close an alert when it is remediated.
    Configuration item CI in the CMDB. The CI is applied to by the alert.
    Node Node field that is received in the log message. The event described in the log message occurred on this node. Often, the node is the name of the CI that is associated with the alert. For example, a computer name, IP address, FQDN, or MAC address.
    Source All Health Log Analytics alerts have the value Log Analytics in the Source column to indicate that the Health Log Analytics app generated the alert.
    Metric name Name of the metric whose anomalous behavior led to the alert. For example, the I/O request in the case that the I/O request took longer than 15000 ms to complete.
    Updated Most recent time when the alert information or state was updated.