Alert grouping types

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert grouping types

    Alert grouping types in ServiceNow's Event Management streamline problem identification by organizing alerts into distinct clusters based on specific criteria. Each alert can belong to only one group at a time, facilitating efficient management and response to incidents.

    Show full answer Show less

    Key Features

    • Log Analytics: Groups alerts based on significant connections identified during log analytics processing.
    • Rule-based: Organizes alerts by compliance with user-defined correlation rules, created via business rules.
    • Automated: Forms groups from aggregated alerts sharing the same CI type and metric name, created through scheduled jobs.
    • CMDB-based: Groups alerts based on relationships in the Configuration Management Database (CMDB), also created via scheduled jobs.
    • Text-based: Clusters alerts using common text patterns from fields like Description and Metric Name.
    • Tag cluster: Allows users to define alert groupings based on tags, simplifying the clustering process.
    • Manual: Enables users to manually group alerts based on specific criteria.

    Key Outcomes

    Utilizing these alert grouping types allows ServiceNow customers to enhance their incident response strategies by providing clarity on alert relationships, improving service availability, and reducing alert noise. Each grouping method supports specific organizational needs, enabling more effective monitoring and management of IT operations.

    Alerts are grouped into various types to streamline problem identification and management. An alert can belong to only one alert group at a time.

    Watch this brief video to learn about alert grouping and how it organizes alerts into clusters based on specific criteria.

    You can view all alert groups by navigating to Event Management > All Alerts, where the icon in the Group column denotes the alert group type. Alerts not associated with any group will not have an entry in the Group column. Double-click the Group column for an alert group to open the Grouped Alerts dialog box, where you can display all alerts in the group and manually add or remove alerts.

    Note:
    The filter that defines alert groups must not be on fields that do not appear in the [em_alert_history] table because impact calculation is not a calculated property. This situation occurs because fields like Event Count, Priority, and Priority Group are not copied to the [em_alert_history] table for impact calculation.
    Table 1. Alert grouping types
    Type Icon Description Creation method Additional information
    Log Analytics L Log Analytics groups are formed when the system identifies multiple related Log Analytics alerts, grouping them based on their significant connections. Created as part of log analytics event processing. Kinds of Health Log Analytics alerts
    Rule-based R Rule-based groups consist of related alerts that are organized based on compliance with alert correlation rules, which determine how alerts are grouped according to their relationships. Created via business rule (Calculate correlation rule) on em_alert table when alert is created or updated. Create an alert correlation rule
    Automated A Automated groups are formed by alert aggregation and include a virtual alert as the primary alert of the group. An Aggregated automated group is created when two or more alerts share the same CI type and metric name. Created via scheduled job. Automated alert grouping
    CMDB-based C CMDB-based groups are formed based on CI relationships in the CMDB, specifically for CIs that are not included in rule-based or automated groups. Created via scheduled job. CMDB based alert grouping
    Text-based T Text-based groups are formed by grouping alerts based on similar text from frequently used words in following fields.
    • Description
    • Metric Name
    • CI Class
    		 Created via scheduled job. N/A
    Tag cluster Tag Tag cluster groups are formed by grouping alerts according to user-defined tag-based alert clustering definitions. Created via scheduled job. Tag cluster alert grouping
    Manual M Alerts grouped manually by users to organize related issues. Created manually by the user. Create alert group manually

    For information on scheduled jobs and parameters, refer to Scheduled jobs and parameters for alert grouping. For detailed information on configuring alert correlation logic order, see Configure alert correlation logic order.