Alert grouping types and creation methods

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert grouping types and creation methods

    This guide helps ServiceNow customers understand the various alert grouping types and their creation methods within Event Management. Effective alert grouping enhances problem identification and streamlines alert handling by organizing related alerts into manageable groups.

    Show full answer Show less

    Users can view and manage alert groups by navigating to Event Management > All Alerts. The Group column displays an icon indicating the alert group type, and double-clicking this column opens the Grouped Alerts dialog, enabling users to view, add, or remove alerts from a group. Note that each alert can belong to only one group at a time.

    Alert Grouping Types and Creation Methods

    • Log Analytics (Icon: L): Groups related Log Analytics alerts identified through event processing, clustering them based on significant connections. Created automatically during log analytics event processing.
    • Rule-based (Icon: R): Groups alerts that comply with alert correlation rules defining relationships between alerts. Created via a business rule on the emalert table during alert creation or update. Enables automation based on customized correlation logic.
    • Automated (Icon: A): Forms groups by aggregating alerts sharing the same Configuration Item (CI) type and metric name, with a virtual alert representing the group. Created by scheduled jobs that perform alert aggregation.
    • CMDB (Icon: C): Groups alerts based on Configuration Item relationships in the CMDB, excluding those already grouped by rule-based or automated methods. Created via scheduled jobs leveraging CMDB data.
    • Network Traffic based (Icon: N): Uses machine learning service mapping to analyze network traffic connections between processes on hosts, grouping alerts related to network traffic issues. Created via scheduled jobs.
    • Text (Icon: T): Groups alerts sharing similar text in fields such as Description, Metric Name, or CI Class. Created via scheduled jobs to cluster alerts based on textual similarity.
    • Tag Cluster (Icon: Tag): Groups alerts according to user-defined tag-based clustering definitions, allowing customized alert organization. Created via scheduled jobs.
    • Manual (Icon: M): Alerts manually grouped by users to organize related issues as needed. Created manually by users.

    Practical Use and Additional Information

    Understanding these grouping types enables customers to tailor alert management strategies to their operational needs, improving incident response and reducing alert noise. Scheduled jobs automate most grouping methods, while manual grouping provides flexibility for exceptional cases.

    For advanced configuration, customers can refer to documentation on scheduled jobs and parameters related to alert grouping, as well as on configuring alert correlation logic order to control how rule-based grouping applies.

    Explore different alert grouping types, understand their descriptions, and learn about their creation methods to enhance problem identification and streamline alert management.

    Viewing and managing alert groups

    Navigate to Event Management > All Alerts to view all alert groups. The icon in the Group column denotes the alert group type, while alerts not associated with any group have no entry in the Group column. Double-click the Group column to open the Grouped Alerts dialog, where you can view all alerts in the group and manually add or remove alerts.
    Note:
    An alert can belong to only one alert group at a time.

    Types of alert grouping

    Table 1. Alert grouping types
    Type Icon Description Creation method Additional information
    Log Analytics L Log Analytics groups are formed when the system identifies multiple related Log Analytics alerts, grouping them based on their significant connections. Created as part of log analytics event processing. Kinds of Health Log Analytics alerts
    Rule-based R Rule-based groups consist of related alerts that are organized based on compliance with alert correlation rules, which determine how alerts are grouped according to their relationships. Created via business rule (Calculate correlation rule) on em_alert table when alert is created or updated. Create an alert correlation rule
    Automated A Automated groups are formed by alert aggregation and include a virtual alert as the primary alert of the group. An Aggregated automated group is created when two or more alerts share the same CI type and metric name. Created via scheduled job. Automated alert grouping
    CMDB C CMDB groups are formed based on CI relationships in the CMDB, specifically for CIs that are not included in rule-based or automated groups. Created via scheduled job. CMDB based alert grouping
    Network traffic based N Network traffic alert groups are formed by analyzing network traffic connections between processes across hosts. This method leverages service candidates identified through ML Service Mapping to group alerts related to network traffic issues. Created via scheduled job. Network traffic based alert grouping
    Text T Text groups are formed by grouping alerts based on similar text from frequently used words in following fields.
    • Description
    • Metric Name
    • CI Class
    		 Created via scheduled job. N/A
    Tag Cluster Tag Tag Cluster groups are formed by grouping alerts according to user-defined tag-based alert clustering definitions. Created via scheduled job. Tag cluster alert grouping
    Manual M Alerts grouped manually by users to organize related issues. Created manually by the user. Create alert group manually

    For information on scheduled jobs and parameters, refer to Scheduled jobs and parameters for alert grouping. For detailed information on configuring alert correlation logic order, see Configure alert correlation logic order.