Viewing links between alerts in alert groups in Express List

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing Links Between Alerts in Alert Groups in Express List

    Link View in Express List provides a visual representation of the relationships between alerts within alert groups generated by Event Management. It enhances understanding of how alert attributes are connected, using colored tags to represent Configuration Items (CIs) and other environmental items relevant to the alerts. This functionality is available even without a populated Configuration Management Database (CMDB), although a populated CMDB offers additional insights regarding probable causes and impacted services.

    Show full answer Show less

    Key Features

    • Visual Representation: Link View visually displays alert relationships, allowing users to rearrange nodes for focused analysis.
    • Manual Refresh: The layout does not refresh automatically; users must refresh manually to return nodes to their original positions.
    • Node Badges: Badges indicate the presence of multiple alerts sharing the same key-value pair, with numbers reflecting the count of alerts.
    • Change Badges: Active change requests linked to alerts are marked, providing quick identification of probable causes.
    • Legend and Tooltip: A legend explains symbols and colors, while hovering over nodes reveals detailed information including tag name, class, severity, and alert status.
    • Support for Various Groups: Link View is compatible with tag-based, rule-based, and CMDB-based alert groups.

    Key Outcomes

    Utilizing Link View enables ServiceNow customers to efficiently triage alerts by visualizing their connections and impacts. This leads to quicker identification of the probable causes and the services affected, thus enhancing incident management and response times.

    Gain a better understanding of the relationships between alerts in alert groups in the Express List by using Link View. Link View offers a visual representation of the relationships between the alerts in a group.

    When Event Management generates an alert group, Link View shows how the attributes of the alerts in the group are linked. The colored tags represent Configuration Items (CIs) and other environment items in relation to the alerts. The information shown in Link View is available without the need for a populated Configuration Management Database (CMDB). However, when the CMDB is populated, Link View offers additional value by providing the probable cause of the alerts and the service that the alert group impacts.

    Figure 1. Sample alert group in Link View
    Sample alert group in Link View.

    You can focus on your areas of interest by dragging the nodes in Link View to different positions. When you refresh an alert group, rearranged nodes appear in their original position again. Therefore, Link View is not refreshed automatically, but waits for you to do so manually. If an alert on a CI impacts a service in the Configuration Management Database (CMDB), Link View shows the impacted service, enabling you to view it at a glance for quick triage.

    A stacked node indicates that multiple nodes were mapped for the same tag. When the same key-value pair appears in more than one alert, the corresponding node is shown with a badge. For example, when the same key-value pair appears in two alerts, the badge on the node shows the number 2, as seen on the Payment tracker node in the sample alert group figure. When a node has no badge, the key-value pair appeared in only one alert. An active change request, a probable cause of the alert, is marked by a Change badge.

    Figure 2. Node with a change badge
    Node with change badge.

    The Link View legend lists the meaning of the symbols and colors used and allows you to toggle between hiding and showing types of tags to reduce noise. In addition, the legend describes the meaning of the various lines linking the alert attributes. Attributes linked by a solid line share one or more alerts, whereas attributes linked by a dotted line are correlated by grouping criteria. For a description of each tag, see Tags in Express List Link View. Hovering over a node displays a tooltip that includes the name of the tag, its class, its severity, the number of alerts in which it appeared, and whether the alert is primary or secondary or the probable cause of the alert, if applicable.

    Figure 3. Node tooltip
    Node tooltip with probable cause.
    Currently, Link View is supported for tag-based, rule-based, and CMDB-based alert groups. For more information, see: