Automated alert grouping

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated Alert Grouping

    Automated alert grouping in Event Management aggregates alerts based on historical data to create automated alert groups. These groups are visible in the Express List within the Service Operations Workspace, enabling more efficient monitoring and management of alerts.

    Show full answer Show less

    Key Features

    • Alert Aggregation: Enabled by setting the property saanalytics.aggregationenabled to true, allowing for the creation of automated alert groups.
    • Pattern Identifiers: The default identifier is Metric Name, but it can be customized to use different alert fields, referred to as Feature Identifier Attributes.
    • Learning Patterns: The system identifies related alerts based on defined attributes, allowing for grouping into Learned Patterns.
    • Historical Analysis: Aggregation analyzes issues from the last 30 days, with the duration controlled by the saanalytics.agg.learnerperioddays parameter.
    • CI-based Grouping: Alerts can be grouped even if they lack a Configuration Item (CI) by enabling the saanalytics.enablenocigrouping property.

    Key Outcomes

    Utilizing automated alert grouping allows ServiceNow customers to:

    • Streamline alert management by reducing noise and focusing on significant patterns.
    • Enhance decision-making through improved visibility into alert relationships and frequencies.
    • Maintain accuracy in alert groupings by excluding incorrect patterns and restoring valuable insights as needed.

    This feature ultimately leads to more efficient IT operations and better resource allocation through effective alert management.

    Event Management alert aggregation aggregates alerts into automated alert groups based on historical alert data. Automated alert groups are displayed in the Express List in the Service Operations Workspace.

    Enable creating automated alert groups by setting the Enable alert aggregation for Automated, CMDB and Text based groups (sa_analytics.aggregation_enabled) property to true.

    If the Domain Support - Domain Extensions Installer is activated, then alert aggregation patterns are built according to the domain level that is specified in the sa_analytics.agg.learner_domain_level property. By default, the domain level is set to two, which is the second domain level in the domain hierarchy. See Domain separation and Event Management.

    To create automated alert groups, aggregation algorithms rely on historical alerts with the same alert identifier (CI and metric identifier) and which occurred multiple times in the same time frame.

    About Pattern Identifiers

    The default pattern identifier is defined as Metric Name. In the Manage Pattern Identifier form you can which alert fields are currently used for the pattern identifier. You can choose a different set of alert fields to deploy, or define a new set of fields for the pattern identifier.
    Note:
    A set of alert fields used for pattern identifier is also referred as Feature Identifier Attributes or attributes.
    To ensure that the specified alert fields in the pattern identifier are effective, a sufficient number of alerts must have the respective populated fields. Therefore, if you specify a new set of alert fields in the pattern identifier, do the following to ensure meaningful analysis:
    • Create an event rule that populates the respective alert fields.
    • If a large number of existing alerts don’t have values for the new set of alert fields used in the pattern identifier, ensure to run the Service Analytics Attribute Populator for Historical Alerts job that uses the appropriate event rule to populate alert fields from historical alerts. Properties originating from the CMDB CI using dot-walking aren’t populated.
    • Choose effective identifiers:
      • Ensure that the set of alert fields in the pattern identifier isn’t too unique (for example, the date field is unique for every alert), because it is impossible to identify any pattern.
      • Ensure that the set of alert fields in the pattern identifier isn’t too common, because it won’t be possible to create distinct groups, as everything would be included in the same group.

    When an alert pattern is discovered based on a set of alert fields, the alerts are considered to be related to each other and therefore are grouped into a Learned Pattern. For example, if you configure identifier attributes to create a pattern based on alerts with the same Priority Group and Resource, if a group of alerts match those attributes, they’re grouped into a pattern that displays on the Learned Patterns report (Event Management > Administration > Learned Patterns).

    Only one set of pattern identifier attributes can be active at a time. A new set of pattern identifier attributes isn’t automatically implemented until you deploy it. When you deploy a new set of attributes, the current set of attributes that is in effect becomes inactive. Subsequent queries use the active pattern identifier attributes to perform alert aggregation.

    The major purpose of this pattern based alert aggregation is to find patterns of issues that occurred during last 30 days. The number of days is controlled by the sa_analytics.agg.learner_period_days parameter. To identify an issue, the system uses a combination of Configuration Items (CIs) and Pattern Identifiers (sometime called Feature Identifiers). A Pattern Identifier, by default, is defined as Metric Name, but it may be modified. Two alerts are similar if they have the same CI and Pattern Identifier. However, Source, Severity, Description, and other alert fields may differ. For more information, see Specify and manage pattern identifier attributes for alert aggregation.
    Note:
    The Alert Aggregation Learner also learns the patterns of alerts in manual alert groups.

    In some cases you can build patterns from alerts whose CIs have the same value in a selected field. For example, to build patterns from alerts that have the same CI Location field, enter 'location' in the sa_analytics.agg.learner_group_by_property property. For more information, see Configure scheduled job-based alert grouping.

    Alerts that don't contain a CI can still be grouped together as Text-based or CI-based alert groups. In this case, a node is considered as a CI. To enable this functionality, set the sa_analytics.enable_no_ci_grouping property to true. When working with CI-based groups, ensure that the Feature Identifier includes both the node and metric name. For details on configuring the feature identifier, see Learned Patterns report.