- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
I have integrated SolarWinds and AWS CloudWatch with ServiceNow Event Management.
During a major outage, 5,000+ events flood the system in minutes, creating multiple duplicate alerts for the same CI. The Event Management dashboard becomes unusable.
How do we design a solution that reduces alert noise without losing visibility?
Any leads will be Appreciated..
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hi @SandeepKSingh
Read the below steps carefully crafted by me as I faced the same issue in the past engagement :
-
Analyze the Incoming Events:
-
Check the
em_eventtable to see if duplicate events differ only by time or metric value. -
Identify patterns like:
-
Same
node,resource,type -
Different
metric_nameordescription
-
-
-
Implement Alert Correlation Rules:
-
Use Alert Correlation Definitions to merge similar alerts under one parent.
-
Example:
-
Rule: If same
nodeandmetric_namewithin 5 minutes ā merge alerts. -
Result: 20 CPU alerts collapse into one.
-
-
-
Create Alert Aggregation (De-duplication):
-
Enable the āDe-duplication Keyā in event rules (based on
node,metric_name,resource). -
ServiceNow will automatically update existing alerts instead of creating new ones.
-
-
Use Threshold and Event Filters:
-
Set thresholds in Connector Definition (e.g., ignore metrics with less than 80% utilization).
-
Apply Event Filters to drop non-critical events (like āOKā or āInformationalā).
-
-
Apply Correlation Engine Rules (optional advanced step):
-
Use Topological Correlation if you have Service Mapping in place.
-
For example, multiple alerts on the same Application Service can roll up to one parent alert for that business service.
-
If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!
Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI
ļ YouTube: https://www.youtube.com/@learnservicenowwithravi
ļ LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
And below thread will also give you clarity :
If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!
Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI
ļ YouTube: https://www.youtube.com/@learnservicenowwithravi
ļ LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hi @SandeepKSingh
Read the below steps carefully crafted by me as I faced the same issue in the past engagement :
-
Analyze the Incoming Events:
-
Check the
em_eventtable to see if duplicate events differ only by time or metric value. -
Identify patterns like:
-
Same
node,resource,type -
Different
metric_nameordescription
-
-
-
Implement Alert Correlation Rules:
-
Use Alert Correlation Definitions to merge similar alerts under one parent.
-
Example:
-
Rule: If same
nodeandmetric_namewithin 5 minutes ā merge alerts. -
Result: 20 CPU alerts collapse into one.
-
-
-
Create Alert Aggregation (De-duplication):
-
Enable the āDe-duplication Keyā in event rules (based on
node,metric_name,resource). -
ServiceNow will automatically update existing alerts instead of creating new ones.
-
-
Use Threshold and Event Filters:
-
Set thresholds in Connector Definition (e.g., ignore metrics with less than 80% utilization).
-
Apply Event Filters to drop non-critical events (like āOKā or āInformationalā).
-
-
Apply Correlation Engine Rules (optional advanced step):
-
Use Topological Correlation if you have Service Mapping in place.
-
For example, multiple alerts on the same Application Service can roll up to one parent alert for that business service.
-
If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!
Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI
ļ YouTube: https://www.youtube.com/@learnservicenowwithravi
ļ LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
And below thread will also give you clarity :
If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!
Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI
ļ YouTube: https://www.youtube.com/@learnservicenowwithravi
ļ LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Thanks for the Quick Help !!
