Find answers faster to your HLA Syslog Anomaly Alerts

charleselite
ServiceNow Employee
ServiceNow Employee
‎02-07-2025 12:04 PM

Once you have Health Log Analytics running and detecting anomalies on your own ServiceNow platform. (See here for details on how to set it up: Advanced Tagging for Syslog Anomalies w. HLA). The next thing you need to do is sort through the anomalies and start building that ML feedback to tune it to your platform specifically.

 

Advanced Tagging (LINK) enables you to find and consume the alerts you care most about. But you can take it a step further to speed up time to detect the root cause by using those tags, and pull in more information and quick links into the Alert.

 

Effectively enabling you to find the relevant/pertinent alerts, related records that caused the alerts and take action. The easiest action in this workflow is to provide the ML feedback to HLA to continue to tune and optimize the anomalies detected.

 

 

HERE IS HOW TO CONNECT YOUR ALERT TO RELEVANT SOURCE RECORDS:

 

STEP 1: Make sure you have advanced tagging working, and have the relevant tags. In this use case I am going to setup to quick actions based on these tags: _user, table_name, record_sys_id

 

 

I’ve attached exports of the flow and action records to this community post, so you can optionally import them vs. build via the instructions in STEP 2

 

STEP 2: we can create flow and an action to take advantage of the data we care about here.

 

*NOTE: In this example I am using a community addition: Flow Designer Record Link Generator

 

  1. Create a Flow:

 

Name: HLA Advanced Tagging Response

Trigger: Created or Updated

Table: Alert

Condition:

         Source is Log Analytics

         Configuration item is ServiceNow Glide Sys Log**

 

         **Make sure you use the Service CI that matches your syslog implementation

 

Run Trigger: Once

 

charleselite_0-1738958173622.png

 

 

 

  1. Create a New Action. We need an action to parse the JSON payload with the tags, to use them as variables.

 

Name: HLA Advanced Json Parsing

Action Input: Reference.Alert (name/label = Alert)

charleselite_1-1738958173625.png

 

 

 

  1. Add Step > JSON Parser Step.

 

Source Data: Drag the data pill from your Alert Input record. Alert.Additional_information

 

If you have a sample alert handy, you can copy paste the alert structure in the payload to generate the target outputs.

charleselite_2-1738958173635.png

 

 

  1. Create 3 outputs (for my use case I only need 3, for the tags I need to act on)
  2.  Map the tags from the JSON parser step to the outputs in the action

 

charleselite_3-1738958173639.png

 

 

 

 

  1. Let’s add this action to the Flow we created, and take action on it.

 

  1. What I did here was run a lookup on the User tag and run a look up on the table + record that triggered the anomaly alert.

 

 

Then I am adding a simple work note with a hyper link to those records if I find a match. **This flow is using the Flow Designer Record Link Generator from Developer Portal

 

 

 

charleselite_4-1738958173652.png

 

 

 

 

 

END RESULTS:

 

We now have hyperlinks added via work notes, that gives you single click access to the user or the record that caused the anomaly. Giving you the ability to drill in and make decisions quickly

charleselite_5-1738958173658.png

 

 

 

 

 

 

The use cases are endless, to leverage these new tags and build out automation in Flow designer.

0 Helpfuls
  • 1,097 Views
1 Comment
Gabriel Moreir2
Tera Contributor
‎04-23-2025 08:01 AM
‎04-23-2025 08:01 AM

The example used may not be the best, given sys_trigger records are purged after execution (and likely gone at the point of alert remediation flows). HLA could add more context and perhaps even have access to a stacktrace kind of data to provide a wholistic view of the platform files which caused a log to be created

0 Helpfuls
Popular Blog Posts