Scheduled jobs and parameters for alert grouping

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Scheduled jobs and parameters for alert grouping

    ServiceNow enables automated organization of alerts by configuring scheduled jobs that group alerts based on predefined criteria. This automation supports multiple grouping methods including Automated, CMDB, Text-based, Tag Cluster, and Network Traffic Correlation groups. The key scheduled job responsible for this process isService Analytics group alerts using RCA/Alert Aggregation, which typically runs once per minute to efficiently manage alert grouping.

    Show full answer Show less

    Key Features

    • Parallel Scheduled Jobs: You can run multiple scheduled jobs simultaneously to improve alert grouping efficiency.
    • Configurable Parameters: Alert grouping behavior is controlled via system properties that define how and when alerts are grouped. Important parameters include:
      • saanalytics.aggregationenabled: Enables or disables alert grouping for all supported group types.
      • saanalytics.agg.querydynamicwindow: Defines the maximum allowed time difference (default 10 minutes) between alerts for them to be grouped.
      • saanalytics.agg.querymaxgrouplifetime: Sets the maximum total lifespan of an alert group (default 30 minutes).
      • saanalytics.agg.groupexpirationtime: Extends grouping time if events arrive later than the max group lifetime.
    • Custom Property Creation: Some parameters are not provided out-of-the-box and must be created as system properties with assigned values to take effect.

    How Alert Grouping Works

    Alerts are grouped based on event generation times and configured windows:

    • For Tag Cluster grouping, alerts are grouped within a timeframe defined in the tag clustering settings.
    • For Automated, CMDB, Text-based, and Network Traffic Correlation grouping, alerts are aggregated if they occur within defined time windows relative to each other.

    Example grouping scenario:

    • Alerts with the same Configuration Item (CI) are evaluated by their event times.
    • Alerts more than 10 minutes apart are not grouped (dynamic window).
    • Alerts within 10 minutes of each other extend the grouping window and are added to the group.
    • The entire group expires if the total lifetime exceeds 30 minutes unless extended by the group expiration parameter.

    Practical Benefits for ServiceNow Customers

    By leveraging these scheduled jobs and parameters, customers can automate alert consolidation, reduce alert noise, and improve incident response efficiency. Customizing time windows and enabling parallel processing allows tailoring alert grouping to fit organizational needs, ensuring timely and relevant alert aggregation.

    Automate alert organization by configuring jobs to group alerts based on predefined criteria and parameters.

    To group alerts in Automated, CMDB, Text-based, Tag Cluster, and Network Traffic Correlation groups, the scheduled job named Service Analytics group alerts using RCA/Alert Aggregation is typically run once per minute. This job handles the grouping of alerts based on the specified method. Additionally, you can run multiple scheduled jobs in parallel to manage alert grouping more efficiently. For further details, see Run multiple scheduled jobs for alert grouping.

    To define which alerts are grouped, the following parameters are used:
    • sa_analytics.aggregation_enabled: This parameter enables alert grouping created by the schedule job. Set the property Enable alert aggregation for Automated, CMDB, and Text-Based groups to true to activate this feature.
      Note:
      This property also applies to Tag Cluster and Network Traffic Correlation grouping.
    • sa_analytics.agg.query_dynamic_window: By default, this is set to 10 minutes (600 seconds). It defines the maximum time difference allowed between the last event generation times of two alerts that can be grouped together.
    • sa_analytics.agg.query_max_group_lifetime: This parameter specifies the maximum time period from the generation of the first alert to the last alert in a group, with a default of 30 minutes (1800 seconds). If events arrive with a delay exceeding this period, the sa_analytics.agg.group_expiration_time parameter can be used to extend the grouping time beyond 30 minutes.
    Note:
    Some parameters, such as sa_analytics.agg.query_dynamic_window, sa_analytics.agg.query_max_group_lifetime, and sa_analytics.agg.group_expiration_time, are not provided out of the box. To use these properties, you need to create properties with the same names and assign the required values to them. For more information on how to create a property, see Add a system property.

    Example: How alerts are grouped

    For tag-cluster grouping, alerts are added to a group based on the timeframe parameter defined in the alert tag clustering settings. For automated, CMDB, and text-based, network traffic grouping, alerts are aggregated as follows.

    Consider the following alerts with the same CI. (All of them may be added to the same CMDB group).
    • Alert1: Initial event generation at 01:00:00 AM
    • Alert2: Initial event generation at 01:11:00 AM
    • Alert3: Initial event generation at 01:13:00 AM
    • Alert4: Initial event generation at 01:16:00 AM
    • Alert5: Initial event generation at 01:25:00 AM
    • Alert6: Initial event generation at 01:34:00 AM
    • Alert7: Initial event generation at 01:43:00 AM
    Alert1 and Alert2 are not grouped due to the time gap exceeding 10 minutes. Alert2 and Alert3 create a group at 01:13:00 AM. The 10-minute dynamic window starts at 01:13:00 AM, with the following:
    • Alert4 is added to the group at 01:16:00 AM, restarting the 10-minute window.
    • Alert5 and Alert6 are added to the group as their event times are within the 10-minute window.
    • Alert7 is not added to the group because it arrives 9 minutes after Alert6, exceeding the sa_analytics.agg.query_max_group_lifetime limit of 30-minute maximum group lifetime from the initial group creation (01:13:00 AM + 30 minutes = 01:43:00 AM).