Event Management tag based alert clustering definition form

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Event Management tag based alert clustering definition form

    The Tag Based Alert Clustering Definition form in ServiceNow Event Management allows you to create or modify rules that cluster incoming alerts based on specified tags and conditions. This feature helps you group related alerts efficiently, improving alert manageability and response coordination.

    Show full answer Show less

    Key Features

    • Name: Unique identifier for each alert clustering definition.
    • Active: Enables or disables the definition; active by default.
    • Order: Defines the sequence in which definitions are evaluated for incoming alerts, with lower numbers processed first.
    • Domain: Displays the domain where the record was created (read-only).
    • Assignment group: Specifies the group responsible for working on the alert. Global rules apply if no group is assigned.
    • Description: Optional field to describe the alert clustering definition.
    • Filter: Sets conditions that alerts must meet to be considered for clustering. You can preview matching alerts before applying the filter. Filters are case sensitive by default but can be adjusted via system properties.
    • Override group description: Allows custom descriptions for alert groups created by this definition, replacing the default "Group of alerts" prefix.
    • Clustering timeframe: Defines the maximum time window (0-1440 minutes) between the first alert and subsequent alerts to be included in the same group.
    • Tags M2M: Enables selection of specific alert clustering tags that determine which alerts are grouped together. Tags must be pre-created on the Tag Based Alert Clustering Tags page.

    Practical Benefits for ServiceNow Customers

    This form empowers you to tailor alert clustering to your organization’s incident management workflows by defining precise conditions and timeframes for grouping alerts. Properly configured clustering reduces alert noise, improves incident response efficiency, and facilitates clear assignment of responsibility. The ability to override group descriptions enhances clarity in alert communications, while ordering and assignment group settings provide control over processing sequence and ownership.

    The form for creating or modifying a tag based alert clustering definition displays detailed information about the definition.

    Table 1. Tag based alert clustering definition form
    Field Description
    Name Name of the alert clustering definition.

    Definition names must be unique.
    Active Select to activate the definition. This option is selected by default.
    Order The order by which definitions are tested for incoming alerts. Those with lower Order values are tested first.

    When an alert matches one of the definitions' filters, it continues searching for more definitions.

    Default value = 1000
    Domain The domain in which the current record was created. Read-only.
    Assignment group Assignment group that works on the alert.

    If no assignment group is defined in the alert rule, then this alert rule is considered as a global rule.

    When the rules are running – first the global rules run and then the rules that belong to the assignment group of the alert.
    Description Enter an optional description of the alert clustering definition.
    Filter Set conditions that incoming alerts must meet to be measured by the alert clustering definition's tags. If the tags correspond to alerts that exist in the system and are within the Clustering timeframe (minutes) value, the incoming alerts join with the existing alerts to form an alert group.
    After configuring the filter, you can click the Preview button to view how many existing alerts match the filter's condition.
    Note:
    • Matching alerts are not automatically included together in an alert group. Alerts are grouped only if they have corresponding alert clustering tags.
    • Filter parameters are case sensitive by default. To disable case sensitivity, set the sa_analytics.correlation_case_sensitive parameter to false.
    • You can also configure alert fields to be excluded from the search, using the sn_em_tbac.tag_excluded_alert_fields property. By default, the following are excluded by this property:
      • type
      • event_class
    Override group description Default group descriptions begin with a “Group of alerts” prefix, followed by the description of the primary alert in the group. You may override this group description by selecting the Override group description check box. Then, in the Custom description field, type a description. This description is used as the description of the groups that are created by this alert clustering definition.
    Note:
    You cannot save the form if you left the Custom description field blank or with the default 'Group of alerts' text.
    Clustering timeframe The maximum time, in minutes, allowed between the first alert and subsequent alerts for them to be grouped together. For example, a value of 60 indicates that any alert generated within 60 minutes of the first alert in the group (the oldest alert) is included in the alert group. Any alert generated after this 60-minute window from the initial alert is not included in the group.

    Permitted values = 0-1440
    Tag Based Alert Clustering Definitions Tags M2M Select the alert clustering tags to be assigned to the alert clustering definition. Alerts that meet the criteria specified in the selected tags are included in the alert group.

    The available options are the tags created on the Tag Based Alert Clustering Tags page.