DEX alert grouping

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of DEX alert grouping

DEX alert grouping automatically consolidates multiple alerts triggered by events governed by the same metric rule in DEX. This mechanism reduces alert management complexity, streamlines response processes, and accelerates issue resolution by grouping related alerts together. Users see the total count of secondary alerts grouped alongside the primary alert for easy monitoring.

Show full answer Show less

DEX Events and Alerts Representation

Events with the Source field set to DEX in the Events table [emevent] are classified as DEX events.
For DEX events, the Type field shows DEX Metric Rules since alerts are generated based on these rules.
When an event’s state is Processed, an alert is created and stored in the Alerts table [emalert].
Alerts from DEX events have the Source field as DEX and the Metric name as either DEX App Metric or DEX Device Metric; alerts tied to devices show DEX Device Metric.
The Configuration item field identifies the corresponding application or device.
The Group field value "Rules-based" indicates DEX alert groups.

Alert Correlation Rules

The DEX Metric Correlation Rule in All > Event Management > Rules > Alert Correlation Rules defines when alerts should be grouped.
Only one alert per application and metric rule exists in DEX; alerts are grouped if they share the same metric rule regardless of configuration items.
Closing the primary alert closes all secondary alerts within the same group, simplifying resolution.

Time-based Alert Grouping

This feature groups alerts generated within a defined time interval to reduce alert noise and improve responder efficiency.
The grouping period is configured via the system property sndex.alert.correlationrule.device.period in the System Properties table [sysproperties], specified in seconds.
Setting this property to 0 disables time-based grouping.
For example, with a 5-minute (300 seconds) period, alerts from the same metric rule generated within 5 minutes are grouped under a primary alert; alerts after the period form a new group.

Practical Benefits for ServiceNow Customers

Reduces the volume of individual alerts by consolidating related alerts, decreasing alert fatigue.
Enables faster and more organized incident response by focusing on grouped alerts.
Simplifies alert management with automatic closure of secondary alerts upon primary alert resolution.
Provides configurable control over alert grouping timing to suit service needs generating high alert volumes.

When several alerts are triggered from events governed by the same metric rule in DEX, the alert grouping mechanism automatically consolidates them. This mechanism reduces the need for users to manage individual alerts, streamline their response process, and enable faster issue resolution.

When alerts are grouped together, you see the total count of secondary alerts grouped next to the primary alert number.

DEX events and alerts representation

In the Events table [em_event], any event with the Source field value as DEX is classified as a DEX event. For DEX, the Type field displays DEX Metric Rules as DEX alerts are generated based on DEX metric rules. When for any event, the State of the event is Processed, an alert is generated and saved in the Alerts table [em_alert].

In the Alerts table [em_alert], select any alert to access its details. An alert that is created from a DEX event, displays the Source field value as DEX. The Metric name field value appears as either DEX App Metric or DEX Device Metric. For an alert, the Metric name field value is DEX Device Metric. The Configuration item field shows the name of the corresponding application or device. For the alert whose corresponding Group field shows Rules-based, are the DEX alert groups.

Rule for alert correlation

In All > Event Management > Rules > Alert Correlation Rules, the DEX Metric Correlation Rule determines when alerts must be grouped and provides necessary details.

Note:

For one application and one metric rule, there is only one alert in DEX. DEX creates alert groups when the metric rule is the same, regardless of whether the configuration items are the same or different. When the problem is resolved, closing the primary alert also closes the secondary alerts within the same group.

Time-based alert grouping

Time-based alert grouping automatically groups alerts according to predefined time intervals, which is advantageous for services generating numerous alerts. Consolidated alerts result in fewer disruptions for responders and contribute to shorter resolution times.

In the System Properties table [sys_properties], the property sn_dex.alert.correlation_rule.device.period defines the time period in seconds for grouping and correlating similar metric rule-based DEX alerts. In the Value field, you can enter the desired time duration in seconds. For example, to set a 5-minute gap between alert groupings, enter 300. Entering 0 disables the rule.

Let's consider an example: Alert A1 is generated for rule R1 from device D1. After two minutes, alerts A2 and A3 are generated for the same rule R1, but from devices D2 and D3 respectively. With A1 being the first alert, it's designated as the primary alert, and A2 and A3 are grouped as secondary alerts under A1.

Now, suppose you have set the time duration to 300 seconds (5 minutes). If no alerts for rule R1 are generated within five minutes, and then after this period, alerts A4, A5, and A6 are generated for the same rule, a new group is formed. Alert A4 becomes the primary alert, and A5 and A6 are grouped under A4.

However, if any alert is generated for rule R1 within five minutes, it's considered a secondary alert to A1 and grouped accordingly.