CMDB Correlation in the Event Management

Premnath M · ‎03-07-2023

Is it possible to correlate server and network, related alerts by using CMDB correlation in event management?

The relationship is represented in the attached Image

In my scenario:

The server alerts are grouped as CMDB but IP switch (Network) creates individual alerts.

AJ-TechTrek · ‎03-18-2023

You need to write the custom correlation rule as per requirement,

That can be like if Same Server Alerts generated can be correlated automatically but if Network component Generate the Alerts can the be individual but impacted Server due to network again can be part of same Correlation.

OOB for that type of correlation is not achievable.

Thanks

Ajay Kumar

Premnath M · ‎03-28-2023

Hi @AJ-TechTrek

in the CMDB Relationship table [cmdb_rel_ci] having a relationship between the Server and Network. So, I have enabled the CMDB properties in the alert correlation properties. for this use case, the OOTB functionality should work with this ryt. then Server and Network alerts should be grouped ryt. but it's not grouping.
If you have any inputs can you explain, please.

Please find the Images below for properties which am I enabled and tested.

AJ-TechTrek · ‎03-28-2023

Hi @Premnath M ,

Details as below.

CMDB Alert Grouping.

CMDB Alert Grouping is based on Topology. For CIs without historical data, alerts are correlated based on those CIs relationships in the CMDB.
This feature can be enabled by setting "sa_analytics.agg.query_cmdb_correlation_enabled" property to true.
There are 3 different mechanisms used to form a CMDB group.
- Applicative Flow
- Suggested Relationship
- Metadata definition

Applicative Flow
- This is based on Business Service nodes.
- It is controlled using property "sa_analytics.applicative_flow_rc_enabled"

Suggested Relationship
- This is based on the Suggested relationship table.
- It is controlled using property "evt_mgmt.related_cis_use_suggested_relations_rules"

Metadata Definitons
- This is based on the Hosting/Containment IRE Rules.
- It is controlled using below properties:
  
  evt_mgmt.related_cis_use_hosting_rules – control on group hosting rules (true/false)
  evt_mgmt.related_cis_use_containment_rules - control on group containment rules (true/false)
The nodes grouped together should be related by a number specified in property sa_analytics.agg.query_cmdb_graph_walk_nodes. It means we can reach one CI to another by not more than walk_nodes hops/levels/neighbors value specified.

Here is the alerts groups : https://docs.servicenow.com/bundle/sandiego-it-operations-management/page/product/event-management/c...

https://docs.servicenow.com/en-US/bundle/utah-it-operations-management/page/product/event-management...

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0867559

Please mark as helpful or accept solution if applicable.

Thanks

Ajay Kumar

Premnath M · ‎03-28-2023

Hi @AJ-TechTrek ,

Already, I have tried the above-mentioned properties, but it is not grouping the different Resources.

For Example, ESX Server CI (Resource is Server) and IP Switch CI (Resource is Network) have a Relationship in the [cmdb_rel_ci] table. If the alert is generated for both CI's in a specific time frame (5min). The two alerts are not correlated based on the CMDB alert grouping. But both the CI's Have a relationship.
Why it is happening like this?

Thanks,
Premnath M