Rule-based alert grouping

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Rule-based alert grouping

    Rule-based alert grouping in ServiceNow Event Management allows you to manually classify alerts as primary or secondary through alert correlation rules. This grouping helps reduce alert noise by associating related alerts, enabling you to focus on the root cause represented by the primary alert. The grouping is applied only to new alerts or alerts whose status changes from close/flapping to open/reopen.

    Show full answer Show less

    For example, secondary alerts indicating that virtual machines or applications on an offline server are down can be grouped under a primary alert representing the offline server itself. This grouping is visible in the Express List within the Service Operations Workspace (ITOM).

    Primary and secondary alerts

    • Primary alert: Identifies the root cause of the alert group and serves as the main alert representing related secondary alerts.
    • Secondary alert: Related alerts grouped under the primary alert to reduce noise and help isolate the root issue.

    Both primary and secondary alerts remain visible, with secondary alerts nested beneath the primary alert in the interface. The classification is controlled by filter conditions applied to the Alert [emalert] table.

    Alert interaction and lifecycle

    The property “Keep the secondary alert open even when primary closed” (evtmgmt.rulebasedmanualclosure) determines whether secondary alerts remain open or close when the primary alert is resolved:

    • If set to No, closing the primary alert dissolves the grouping and closes secondary alerts.
    • If set to Yes, closing the primary alert dissolves the grouping but leaves secondary alerts open as standalone alerts.

    Alert hierarchy and limitations

    Only one level of secondary alerts is permitted to maintain clarity:

    • If a secondary alert has its own secondary alert, the hierarchy is flattened so that all secondary alerts are siblings under the primary alert.
    • When multiple correlation rules assign different primary alerts to the same alert, only the first applicable rule (based on order value) is applied, preventing multiple parent alerts.

    Creating alert correlation rules

    To implement rule-based alert grouping, create alert correlation rules that specify criteria to identify primary and secondary alerts. These rules define the root cause alert and group related alerts under it, streamlining alert management and improving operational focus.

    Rule-based alert grouping is created by alert correlation rules. These rules allow you to manually classify alerts as primary or secondary and establish a relationship between them. Use alert correlation rules to group related alerts. The rule runs only for new alerts or alerts whose status changed from close/flapping to open/reopen.

    Example: If rule-based alert grouping is applied, secondary alerts indicating that virtual machines or applications on the offline server are also down and are grouped under the primary alert, which is the root alert for the server that is offline. You can view rule-based alert grouping in Express List of Service Operations Workspace (ITOM). For more information, see Viewing links between alerts in rules-based alert groups.

    Primary and secondary alerts

    • Primary alert: Identifies the root cause of an alert group and represents its secondary alerts.
    • Secondary alert: Related to the same issue, they are grouped under the primary alert. The purpose of secondary alerts is to determine which alerts to suppress, reducing alert noise and allowing you to focus on the primary alert.

    How primary and secondary alerts interact

    In rule-based alert grouping, one of the real alerts is designated as the primary alert. Primary and secondary alert filter conditions specify which alerts are classified as primary and which as secondary. The filter criteria are applied to the Alert [em_alert] table.

    In this alert grouping, both primary and secondary alerts are visible but secondary alerts are grouped under the primary alert. The property Keep the secondary alert open even when primary closed. for manual or rule based (evt_mgmt.rule_based_manual_closure) controls whether secondary alerts remain open or are closed when the primary alert is closed.

    If the property is not selected (i.e., set to No), after the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), and the secondary alerts are closed and become stand-alone. If you select the checkbox for the property (i.e., set it to Yes) and the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), causing them to become stand-alone open alerts.

    Example: Alert hierarchy

    Only one level of secondary alerts is permitted. In situations where a secondary alert has its own secondary alert, the Event Management application flattens the hierarchy to preserve only two levels.

    For example, assume alert A is the primary alert and alert B is the secondary alert. If alert C becomes a secondary alert for alert B, the application flattens the hierarchy so that A remains the primary and B and C become sibling secondary alerts, one level below A.

    As another example, assume that there are three correlation rules that produce the following results:
    • Rule 1 (with an Order value of 1): B becomes a primary alert for A.
    • Rule 2 (with an Order value of 2): A becomes a primary alert for C and D.
    • Rule 3 (with an Order value of 3): E becomes a primary alert for A.

    When alerts B, C, D, and E are triggered, they all appear in the alert list separately because there are no correlations between them.

    When alert A is triggered:
    1. Rule 1 makes A a secondary alert under alert B.
    2. Rule 2 makes both C and D secondary alerts under alert A, and the hierarchy is flattened so that A, C, and D become secondary alerts to the primary alert B.
    3. Rule 3 is not applied because multiple parents are not allowed—A already has B as its primary.

    Therefore, if all alerts are triggered, only B appears as the primary alert for A, D, and C, while E remains a standalone alert.