Types of Health Log Analytics alerts

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of Health Log Analytics alerts

    Health Log Analytics generates various alert types to help ServiceNow customers monitor and manage their service instances effectively. Alerts created by Health Log Analytics are identifiable by theLog Analyticsvalue in the Source column, with the Group column indicating the specific alert type. Understanding these alert types enables better incident management and faster anomaly detection.

    Show full answer Show less

    Types of Alerts

    • Component-based alerts: These alerts involve multiple configuration items (CIs) that form a logical component of a service instance, such as redundant hosts or clustered applications. Each component-based alert acts as a parent to several read-only alerts, which users do not manage directly. Starting May 2025, this alert grouping will be phased out in favor of a single alert model bound directly to services, enhancing visibility and simplifying alert correlation.
    • Log Analytics alerts: These alerts detect anomalies linked to a single CI, such as unexpected log entry volumes or metric values. In the alert list, they have the value None in the Group column and highlight individual CI issues.
    • Log Analytics groups: When multiple related Log Analytics alerts share characteristics like timing, metadata (e.g., same host), similar message text, or trend patterns, the system aggregates them into a Log Analytics group. Groups can contain up to four alerts and help identify broader issues across related alerts. Alerts marked as significant are more likely to be included in these groups.

    Practical Implications for ServiceNow Customers

    • Component-based alerts allow you to manage issues affecting multiple CIs as a single entity, which simplifies handling complex service components.
    • Log Analytics alerts provide precise insights into single CI anomalies, enabling targeted investigation and remediation.
    • Grouping related alerts enhances correlation, reduces alert noise, and helps prioritize significant incidents affecting service health.
    • The upcoming transition to a single alert model (May 2025 release) will further streamline alert management and improve operational efficiency.

    Health Log Analytics generates several types of alerts.

    In a list of alerts, all alerts that are generated by Health Log Analytics have the value Log Analytics in the Source column. The value in the Group column identifies the kind of alert, as follows:
    Figure 1. Health Log Analytics alert types in the All Alerts list
    Look for the value in the Group column.
    Component-based alert (Alert0010108 in the example)
    Component-based alerts involve more than one configuration item (CI). A component is a logical component of a service instance that caused the alert. A component can be multiple CIs that perform the same function, such as multiple redundant hosts.
    Important:
    Each Component-based alert is the parent of a number of read-only alerts. You do not work directly on read-only alerts. You work only on the parent Component-based alert.
    In this example service instance, the identical Java apps X, Y, and Z make up a single component: Component B. Tomcat servers Q, R, and S and their hosts make up a different single component: Component C.
    Figure 2. Example service instance
    Service instance with four components.

    Starting in the May 2025 store release, component-based alert groups are eliminated as Health Log Analytics transitions to a single alert model where alerts are bound directly to services. This change improves alert visibility, simplifies alert correlation, and enhances overall alert management efficiency.

    Log Analytics alert (Alert0010373 in the example)
    A Log Analytics alert identifies an anomaly that involves a single CI. A Log Analytics alert has the value None in the Group column. The anomaly that leads to the alert can be an unexpected number of log entries or an unexpected value of a metric.
    Log Analytics group (Alert0010157 in the example)
    When the system identifies multiple Log Analytics alerts that are related in important ways, it groups them into a Log Analytics group. A Log Analytics group can group up to four alerts. The system generates a Log Analytics group when the Log Analytics alerts share one or more of the following relationships:
    • Time: The events all occurred within a configured time interval.
    • Metadata: The alerts have matching values in log-line metadata. For example, all alerts involve the same host.
    • Message text: The message text in the log data is similar or identical between alerts.
    • Trend: The alerts show a similar tendency in values or rates. For example, a particular metric value is increasing in all alerts.
    Note:
    You can mark an alert as significant. A significant alert is more likely to be included in a Log Analytics group when the associated metric behaves anomalously. For more information, see Mark an alert as significant.