Rule-based alert grouping

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Rule-based Alert Grouping

    Rule-based alert grouping in IT Operations Management allows for the classification of alerts into primary and secondary categories using alert correlation rules. This functionality helps to manage alerts more effectively by grouping related alerts, thereby reducing alert noise and focusing attention on critical issues. The rule applies only to new alerts or those whose status has changed to open or reopened.

    Show full answer Show less

    Key Features

    • Primary Alerts: Identify the root cause of an alert group and represent grouped secondary alerts.
    • Secondary Alerts: Related to the primary alert, these help identify which alerts can be suppressed.
    • Alert Filtering: Primary and secondary alert filter conditions classify alerts based on criteria applied to the Alert table.
    • Alert Hierarchy: Only one level of secondary alerts is permitted. If a secondary alert has another secondary alert, the hierarchy is flattened to maintain clarity.
    • Closure Control: A property setting determines whether secondary alerts remain open or are closed when the primary alert is closed.

    Key Outcomes

    By implementing rule-based alert grouping, ServiceNow customers can effectively manage alert noise, focus on primary issues, and maintain a clear structure of related alerts. This ensures that alerts are prioritized correctly, enhancing operational efficiency and facilitating quicker resolution of IT incidents.

    Rule-based alert grouping is created by alert correlation rules. These rules allow you to manually classify alerts as primary or secondary and establish a relationship between them. Use alert correlation rules to group related alerts. The rule runs only for new alerts or alerts whose status changed from close/flapping to open/reopen.

    Example: If rule-based alert grouping is applied, secondary alerts indicating that virtual machines or applications on the offline server are also down and are grouped under the primary alert, which is the root alert for the server that is offline. You can view rule-based alert grouping in Express List of Service Operations Workspace (ITOM). For more information, see Viewing links between alerts in rules-based alert groups.

    Primary and secondary alerts

    • Primary alert: Identifies the root cause of an alert group and represents its secondary alerts.
    • Secondary alert: Related to the same issue, they are grouped under the primary alert. The purpose of secondary alerts is to determine which alerts to suppress, reducing alert noise and allowing you to focus on the primary alert.

    How primary and secondary alerts interact

    In rule-based alert grouping, one of the real alerts is designated as the primary alert. Primary and secondary alert filter conditions specify which alerts are classified as primary and which as secondary. The filter criteria are applied to the Alert [em_alert] table.

    In this alert grouping, both primary and secondary alerts are visible but secondary alerts are grouped under the primary alert. The property Keep the secondary alert open even when primary closed. for manual or rule based (evt_mgmt.rule_based_manual_closure) controls whether secondary alerts remain open or are closed when the primary alert is closed.

    If the property is not selected (i.e., set to No), after the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), and the secondary alerts are closed and become stand-alone. If you select the checkbox for the property (i.e., set it to Yes) and the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), causing them to become stand-alone open alerts.

    Alert hierarchy

    Only one level of secondary alerts is permitted. In situations where a secondary alert has its own secondary alert, the Event Management application flattens the hierarchy to preserve only two levels.

    For example, assume alert A is the primary alert and alert B is the secondary alert. If alert C becomes a secondary alert for alert B, the application flattens the hierarchy so that A remains the primary and B and C become sibling secondary alerts, one level below A.

    As another example, assume that there are three correlation rules that produce the following results:
    • Rule 1 (with an Order value of 1): B becomes a primary alert for A.
    • Rule 2 (with an Order value of 2): A becomes a primary alert for C and D.
    • Rule 3 (with an Order value of 3): E becomes a primary alert for A.

    When alerts B, C, D, and E are triggered, they all appear in the alert list separately because there are no correlations between them.

    When alert A is triggered:
    1. Rule 1 makes A a secondary alert under alert B.
    2. Rule 2 makes both C and D secondary alerts under alert A, and the hierarchy is flattened so that A, C, and D become secondary alerts to the primary alert B.
    3. Rule 3 is not applied because multiple parents are not allowed—A already has B as its primary.

    Therefore, if all alerts are triggered, only B appears as the primary alert for A, D, and C, while E remains a standalone alert.