Text-based alert grouping

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Text-based alert grouping

    Text-based alert grouping in ServiceNow Event Management organizes and correlates alerts by analyzing specific text patterns or keywords within alert content. This dynamic method clusters alerts with similar textual characteristics—such as error messages or event descriptions—enabling more flexible and adaptive alert management. The grouping is powered by the EM Alert Clustering Solution, which uses fields like Description, Metric name, and Configuration item.Class to form clusters.

    Show full answer Show less

    The ML Predictor assigns new alerts to the appropriate clusters asynchronously, which may introduce slight delays in real-time grouping. This process enhances alert correlation by continuously grouping alerts with similar text attributes.

    Key Features

    • EM Alert Clustering Solution: Uses Natural Language Processing (NLP) to analyze alert text and group alerts based on similarity.
    • ML Predictor: Assigns incoming alerts to existing clusters in near real-time, supporting dynamic alert grouping.
    • Threshold Settings: Control the quality and inclusion criteria for alert grouping:
      • Cluster quality threshold: Ensures clusters meet a minimum similarity level (default 70 on a 1–100 scale) for validity and precision.
      • Alert rank threshold: Filters alerts by similarity rank before inclusion in a group (default 0.3, where lower is more similar).
    • Plugin Requirement: The Predictive Intelligence plugin (com.glide.platformml) must be installed, and the EM Alert Clustering Solution activated for text-based grouping to function.
    • Configuration: Thresholds must be created as system properties to customize grouping behavior. The solution definition can be managed via Predictive Intelligence > Clustering > Solution Definitions.
    • Enable/Disable: Text-based alert grouping can be disabled by setting the property saanalytics.textbasedgroupenabled to false and deactivating the solution definition.

    Practical Example

    In scenarios like widespread network connectivity problems affecting multiple departments, alerts such as "Network segment down" or "High packet loss" from various monitoring tools are grouped based on textual similarity. This grouping consolidates related alerts, providing network engineers with a clear, unified view of issues. As a result, they can more quickly diagnose and resolve root causes, improving operational efficiency.

    In text-based alert grouping, alerts are organized and correlated based on specific text patterns or keywords within the alert content. This approach dynamically groups alerts that share similar textual characteristics, such as error messages or event descriptions, allowing for more flexible and adaptive management of alerts.

    The EM Alert Clustering Solution is a method used to correlate alerts based on similarities in specific fields and form clusters or groups. In ServiceNow Event Management, it creates clusters based on the Description, Metric name, and Configuration item.Class fields. This solution organizes alerts into text-based groups, and when a new alert arrives, the ML Predictor identifies the appropriate cluster, grouping alerts within the same cluster.
    Note:
    The ML Predictor job is asynchronous and assigns real-time alerts to clusters, which may result in slight delays. This delay can cause text-based groups to be created several minutes later, as the alert grouping job runs once per minute. If prediction results are not available during a run, they are rechecked in the next grouping job.

    For text-based logic to execute, you must have the Predictive Intelligence plugin (com.glide.platform_ml) installed and the EM Alert Clustering Solution definition activated.

    There are specific settings or limits used to control the behavior of text-based alert grouping. These thresholds define the criteria for how alerts are grouped based on text patterns or attributes. The text-based thresholds are:
    • Cluster quality threshold: The Cluster quality threshold (sa_analytics.alert_grouping_tb_cluster_quality_threshold) determines the minimum quality required for an alert cluster to be considered valid. This threshold ensures that only clusters with a minimum level of similarity and reliability are used. Clusters that meet this threshold are considered valid, improving the precision of the groupings and reducing noise from irrelevant or low-quality clusters. The range of the threshold is from 1 to 100 and the default value is 70.
    • Alert rank threshold: The Alert rank threshold (sa_analytics.alert_grouping_tb_alert_rank_threshold) defines the minimum rank required for an alert to be included in a group. This threshold ensures that only alerts with a certain level of similarity are grouped together, filtering out lower-ranked alerts to maintain the quality of the alert group. The default value is 0.3, where smaller values indicate better similarity.
    Note:
    To use these properties, you need to create properties with the same names and assign the required values to them. For more information on how to create a property, see Add a system property.

    The EM Alert Clustering Solution definition is located in the [ml_capability_definition_clustering] table. To access it, navigate to Predictive Intelligence > Clustering > Solution Definitions.

    To verify if the solution definition is active, see Verify text-based clustering solution. To disable the EM Alert Clustering Solution definition, disable text-based alert grouping by setting the property sa_analytics.text_based_group_enabled to false and clearing the Active check box in the EM Alert Clustering Solution definition.

    Example of text-based alert grouping

    Scenario Example
    Network Connectivity Problems: There are widespread network connectivity issues affecting multiple departments.

    Alerts from various network monitoring tools might report issues like Network segment down, High packet loss, or Connectivity issues in subnet. Text-based alert grouping uses the EM Alert Clustering Solution and ML Predictor to streamline alert management. The EM Alert Clustering Solution employs Natural Language Processing (NLP) algorithms to analyze and identify common text patterns in alerts such as Network segment down or High packet loss. It then clusters these alerts based on their text similarity, grouping related issues together. The ML Predictor further enhances this process by evaluating new alerts in real time and assigning them to the appropriate existing clusters based on their text patterns.

    This dynamic grouping provides a consolidated view of the connectivity problems, allowing network engineers to quickly diagnose and address the root cause of the issues more efficiently.