Sections and cards on the Overview tab for a Log Analytics group in Health Log Analytics

Release version: Australia

Updated March 12, 2026

4 minutes to read

Summarize

Summarized using AI

Summary of Sections and cards on the Overview tab for a Log Analytics group in Health Log Analytics

The Overview tab in Health Log Analytics provides a comprehensive view of Log Analytics groups, which are clusters of related alerts generated from log data. It is designed to help ServiceNow customers quickly identify and analyze issues by presenting key information about alerts, their correlations, and impacted configuration items (CIs) and services.

Show full answer Show less

Key Features

Identified Issue Card: Displays the root cause or issue that triggered the alert, including an alert banner and title. It allows quick access to related alert correlations for deeper analysis.
Correlations List: Shows how alerts are scored and grouped based on factors such as time proximity, metadata similarities (e.g., host name), message text resemblance, and trending patterns. This helps identify related alerts that likely originate from the same underlying problem.
Alerts in Group Card: Lists all Log Analytics alerts within the group, enabling users to select individual alerts to view detailed information. Alerts can also be accessed via the Related records tab.
Alert Details: Each alert includes key attributes such as alert number, initial event generation time (ServiceNow processing time), group type, description of the anomaly, severity, priority group (which guides resolution order), state (Open, Reopen, Flapping, Closed), associated CI, node, source, metric name, and last updated timestamp.
Impact Section: Displays impacted Configuration Items and services, helping users understand the scope and potential business impact of the alerts.

Key Outcomes

Enables rapid identification of the underlying causes of alerts by grouping related events based on correlation factors.
Provides detailed alert metadata to prioritize and manage remediation efforts effectively, considering both severity and priority group.
Offers visibility into impacted infrastructure and services, supporting informed decision-making and impact assessment.
Facilitates navigation between related alerts and log correlators, improving investigative efficiency and root cause analysis.

The alert Overview tab in Health Log Analytics helps you understand Log Analytics groups.

For a detailed description of Log Analytics groups, see Types of Health Log Analytics alerts.

Summary

Identified issue

This card describes the issue that led to the alert. The identified issue appears on the card and in the title for the alert. Information about the alert appears in the banner.

Select View correlations to view the list of correlations that relate the Log Analytics alerts.

Correlations list

During initial analysis, alerts are scored. Each correlation in the alert's log data with another alert contributes to the score. The higher the score, the more likely the alert is to be included as a Log Analytics alert in a Log Analytics group.

The following kinds of data are considered when determining whether alerts are correlated:

Time: The events all occurred within a configured time interval.
Metadata: The alerts have matching values in log-line metadata. For example, all alerts involve the same host.
Message text: The message text in the log data is similar or identical between alerts.
Trend: The alerts show a similar tendency in values or rates. For example, a particular metric value is increasing in all alerts.

Correlations lists log correlators and Log Analytics alerts per group. — Figure 2. Correlations

List of correlations: The first correlation in the list is expanded to show the individual Log Analytics alerts that are correlated and the log correlator that the alerts share.
An individual log correlator: The identifier for a group of correlated Log Analytics alerts. The alerts are grouped by the log-line data or metadata that is common to the alerts (for example, IP address, host name, or user name). The number in the blue square indicates the number of correlated alerts.
Log Analytics alerts that are correlated.

Alerts in group

For a Log Analytics alert, the Alerts in group card shows the Log Analytics alerts that are grouped under the Log Analytics alert. Select a Log Analytics alert to view its details.

Select a Log Analytics alert to view its details. — Figure 3. Alerts in group

Select View all to the view the list of all Log Analytics alerts in the group and relevant information about them. You can also view the Alerts in group list by selecting the Related records tab and then selecting Alerts in group.

For each Log Analytics alert in the group, the following information is available.

Table 1. Alerts in group
Column	Description
Number	The number of the alert. Select the number to view detailed information for an alert. This field is automatically set.
Initial event generation time	The time when the event that generated the alert first occurred. Note: Time here is the ServiceNow processing time, not the source system time.
Group	Type of group that the alert belongs to: a standalone Log Analytics alert or a Component-based alert.
Description	Anomalous pattern or metric that caused the alert to be generated.
Severity	Severity value for the alert. The available values are: Critical: Immediate action is required. Either the resource is not functional or critical problems are imminent. Major: Major functionality is severely impaired or performance has degraded. Minor: Either performance has degraded or there is a partial, non-critical loss of functionality. Warning: Attention is required even though the resource is still functional. Info: An informational message. An alert is created, but the resource is still functional. Clear or Resolved: No action is required. An alert is not created from this event. Existing alerts are closed.
Priority group	Priority group that indicates the order in which to resolve alerts. Choices are as follows: Urgent High Moderate Low The priority group value is more important than severity alone. For example, a high priority and low severity alert should be addressed before a low priority and high severity alert. For information on how priority is calculated, see Alert priority.
State	Processing state of the alert. A newly generated alert is in the Open state. Other states are as follows: Reopen: A previously closed alert is open again, and it requires your attention. Flapping: The alert is receiving identical events from the same source at high frequency. This state can cause an alert to re-open from the Closed state, resulting in a high frequency of changes between Open and Closed states. Closed: The alert is closed and does not require any further action. You close an alert when it is remediated.
Configuration item	CI in the CMDB. The CI is applied to by the alert.
Node	Node field that is received in the log message. The event described in the log message occurred on this node. Often, the node is the name of the CI that is associated with the alert. For example, a computer name, IP address, FQDN, or MAC address.
Source	All Health Log Analytics alerts have the value Log Analytics in the Source column to indicate that the Health Log Analytics app generated the alert.
Metric name	Name of the metric whose anomalous behavior led to the alert. For example, the I/O request in the case that the I/O request took longer than 15000 ms to complete.
Updated	Most recent time when the alert information or state was updated.

Impact

Configuration Items: This card provides information about the CIs that are impacted by the alert.
Impacted services: This card provides information about the services that are impacted by the alert.

Figure 4. Impact section