Identifying relationships in log data by using log correlators

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identifying relationships in log data by using log correlators

    Log correlators in ServiceNow help detect relationships and correlations between alerts within log data, enabling you to determine if an alert is part of a broader issue. By analyzing key values or text in logs, correlators identify related alerts across multiple log sources, improving your ability to diagnose and address underlying problems.

    Show full answer Show less

    Key Features

    • Types of Log Correlators:
      • Free Text Correlators: Analyze unstructured terms in the message portion of logs, such as unique service or application names (e.g., "teatime") or identifiers like "policy-id" or "thread-id". These help detect correlations not captured by structured metadata.
      • Log Property Correlators: Analyze structured metadata in logs, such as service instance names, network device interface IDs, or request IDs, to identify simultaneous occurrences across different log sources.
    • Scope Configuration: You can apply correlators to:
      • Only new log sources created after correlator activation.
      • All existing and new log sources.
      • A specified log source.
    • Custom Correlators: Besides the base system’s predefined correlators, you can define custom correlators tailored to your environment’s specific log sources and business context.
    • Exclusions: You can exclude specific log sources from being analyzed by a correlator to refine correlation results and reduce noise.

    Practical Benefits

    • Identify related alerts quickly by detecting shared identifiers or terms in logs, helping to uncover the root cause of larger incidents.
    • Improve monitoring and troubleshooting by correlating alerts across multiple services, systems, or infrastructure components.
    • Customize correlation rules to match your organization's unique environment and logging practices.
    • Reduce alert noise by excluding irrelevant log sources from correlation analysis.

    Log correlators are keys or values in log data that detect correlations between alerts to help you determine whether an alert is part of a larger issue. For example, a log correlator could detect when the interface ID of a particular network device occurs simultaneously in multiple warnings across different service instances.

    You can identify related alerts in your log data by using log correlators. The base system includes several log correlators, and you can define custom correlators for a specific log source, all log sources, or only log sources created after the correlator is activated.

    Most log lines include a metadata portion plus a message portion. Some log lines, however, include only message text with metadata included in the text. The two types of log correlators, free text correlators and log property correlators, analyze the different portions of each log to identify relationships between log data from multiple log sources.

    Free text correlators

    Free text correlators analyze the text within the log message portion of log lines that are associated with an anomaly. The system uses free text correlators to identify correlations between alerts. You use free text correlators to add a term that you expect to appear within log messages. A good choice is a term that is not structured and would not otherwise be extracted as a log property. For example, “policy-id” or “ thread-id”.

    You also typically add free text correlators for the names of systems, applications, and services that are unique to your environment. Because such a value can be referred to by multiple sources, layers, middleware, or databases, the free text correlator can be an effective detector of correlated alerts. For example, if your organization's service is called TeaTime, then you might add "teatime" as a free text correlator. The correlator would identify alerts that are related because they were generated for resources that support the TeaTime service, such as a database lock or a connection failure between TeaTime components.

    Log property correlators

    Log property correlators analyze the metadata portion of log lines. For example, the correlator can analyze the name of a service instance, the interface ID of a network device, or the request ID of a web-facing component. A log property correlator could flag a correlation when the interface ID of a network device simultaneously occurs in multiple warnings in different log sources. Log property correlators are specific to the business context of your environment.

    You can specify the set of log sources whose log data are analyzed by a log correlator. Choices are as follows:
    • Only new sources: The system applies the log correlator only to log lines from log sources that were created after this log correlator is activated.
    • All sources: The system applies the log correlator to log lines from all log sources.
    • Specified source: For a log correlator, the system analyzes only log lines from the log source that you specify.