Alert insight properties

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert insight properties

    Alert insight properties in ServiceNow enable administrators with theevtmgmtadminrole to configure how alert data is analyzed and presented within the Alert Insight pane. These properties control the retrieval, similarity detection, related Configuration Items (CIs), scoring, and task limits for alert insights, enhancing alert correlation and investigation efficiency.

    Show full answer Show less

    Key Properties and Their Uses

    • Time Frame Settings:
      • evtmgmt.alertinsightalerthistorymin: Defines the time frame (in minutes) to retrieve repeated or similar alert data, defaulting to 30 days.
      • evtmgmt.alertinsightclosedalertwindow: Sets the time window to include alerts that have been closed, defaulting to 3 days after the last update.
    • Similarity Criteria:
      • evtmgmt.alertinsightalertsameasfilter: Specifies which alert fields (e.g., source, type, resource, metricname) are used to determine alert similarity.
    • Related CIs Configuration:
      • evtmgmt.alertinsightrelatedcistopologylevels: Controls the maximum depth of CI relationships considered within application services, default is 3 levels.
      • Additional properties manage whether to use containment rules, hosting rules, suggested relations, and validation of relation rules—critical for accurate CI association.
    • Scoring System:
      • Properties like evtmgmt.alertinsightgroupmapping and level-based mappings assign scores to different relationship types, helping prioritize related CIs based on relevance.
      • Scores accumulate from multiple relationship criteria, enhancing the accuracy of relevance ranking.
    • Maximum Related Tasks:
      • evtmgmt.alertinsightmaxtasks limits the number of related tasks retrieved per alert, with a default of 10, optimizing performance and usability.

    Metadata and Relationship Rules

    The alert insight feature leverages metadata rules to understand parent-child and dependent relationships between CIs. These include:

    • Containment Rules: Define the configuration hierarchy (which CIs contain others).
    • Hosting Rules: Describe placement and operational relationships (what CIs run on).

    Administrators can manage these rules via the CI Class Manager and Metadata Editor modules, enabling precise control over how CIs are related and scored in alert insights.

    Practical Benefits for ServiceNow Customers

    • Fine-tuning alert retrieval periods helps focus on relevant data without overwhelming the system.
    • Customizing similarity criteria and CI relationship depth improves alert correlation accuracy, reducing noise and aiding faster incident resolution.
    • Scoring and relationship validation ensure that the most relevant related CIs and tasks are prioritized, enhancing troubleshooting efficiency.
    • Using metadata-driven relationships provides a comprehensive view of CI dependencies and impacts for better root cause analysis.

    Use these properties to configure alert insight.

    The role required: evt_mgmt_admin

    The following alert_insight properties are under sys_properties.

    Property Usage
    Time Frame
    evt_mgmt.alert_insight_alert_history_min Set the time frame (in minutes) to retrieve repeated and similar alert data. Default 43200 (30 days)
    Note:
    Alerts are retrieved regardless of their state (open / reopen / flapping / closed).
    evt_mgmt.alert_insight_closed_alert_window Set the time frame (in minutes) to retrieve alerts that were already closed. It is the time after the alert last updated date. Default: 4320 (3 days)
    Similarity
    evt_mgmt.alert_insight_alert_same_as_filter This property is a comma-separated string that defines which of the alert fields is used to consider alerts to be similar. Default: source,type,resource,metric_name
    Related CIs
    evt_mgmt.alert_insight_related_cis_topology_levels
    The relationship types are:
    • CMDB based (metadata rules and suggested relations)
    • Within application services
    • Within Alert groups
    		 For ‘Within application service’ relationship type, this property sets the depth or the maximum level of relationship of retrieved CIs. Default: 3
    Score
    evt_mgmt.alert_insight_group_mapping This property sets the score for within alert group relations. Default: 2
    evt_mgmt.alert_insight_level_1_mapping This property sets the score for level 1 relationship. Default: 3
    evt_mgmt.alert_insight_level_2_mapping This property sets the score for level 2 relationship. Default: 2
    evt_mgmt.alert_insight_level_3_mapping This property sets the score for level 3 relationship. Default: 1
    Maximum related tasks
    evt_mgmt.alert_insight_max_tasks Maximum related tasks to retrieve for alert insight. Default: 10

    Metadata rules consideration

    The parent-child relationship of CIs is considered. Dependent relationship rules consist of hosting and containment rules, each type modeling the data from a different perspective of the CI.

    To manage dependent relationship rules:
    • To access rules at the class level, use the CI Class Manager. Navigate to All > Configuration > CI Class Manager.
    • To access grouped rules, use the Metadata Editor. Navigate to All > Configuration > Identification/Reconciliation > Metadata Editor.

    Containment rules represent configuration hierarchy of CIs, describing which CI contains which other CIs.

    Hosting rules represent placement of CIs in a business definition, describing what CIs run on.

    Modify the alert insight properties to configure the way alert information and analysis appears in the Alert Insight pane.

    Related CIs configuration

    The following properties control which CMDB relationships to consider for related CIs. The CMDB relationships include regular CMDB relation rules, metadata rules (containment rules and hosting rules), and suggested relations.

    Property Usage
    evt_mgmt.related_cis_get_all_relation_types Get all relation types, not including metadata rules. Default: false
    evt_mgmt.related_cis_use_containment_rules Use metadata containment rules. Default: true
    evt_mgmt.related_cis_use_hosting_rules Use metadata hosting rules. Default: true
    evt_mgmt.related_cis_use_suggested_relations_rules Use suggested relations rules. Default: false
    evt_mgmt.related_cis_validate_relation_rules This property controls whether to validate relation of CI according to metadata rules. Default: true

    Score

    Scores are configured per relation type or depth. Scores are accumulated. The higher the score, the more relevant is the related CI to the current CI.

    Example:For a CI that was found at level 2 in the same application service of the current CI, the score is 2. The same CI is in the same alert group, so there is an extra score of 3. The accumulated score is therefore 2+3 = 5.

    Affiliation type

    The Affiliation Type column in the Related Incidents, Related Change Requests, and Related Problems tabs shows the type of relationship that the CI of the selected alert and the related CI have.

    To see affiliation type relationships, navigate to All > Configuration > Identification/Reconciliation > Metadata Editor.

    The parent-child relationship between configuration items is considered.