- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2025 09:48 AM
Hello All,
I have a requirement to correlate or group events/alerts based on their descriptions, provided they originate from the same location and organization.
For example, alerts with descriptions such as "device down", "CPU high", or "memory high" should be grouped together if they are from the same location and organization for the duration of 30 min, regardless of the node name.
Could someone please advise on how this can be implemented?
Solved! Go to Solution.
- Labels:
-
Event Management
-
Orchestration (ITOM)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi @chandrakumar ,
Refer the attached below screenshot and reference SN Documents for this.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2025 09:25 PM
can someone provide the solution for this please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2025 02:13 AM
Hi @chandrakumar ,
As per my understanding Solution Overview will be :-
You want:
* All alerts with the same/similar description
* And matching location + organization
* That arrive within a 30-minute time window
To be grouped together into a single alert or into the same group.
This is a perfect use case for:
* Alert Aggregation Rules or
* Custom Correlation Processor (using Correlation Scripts)
* Optionally: dynamic CI grouping if you have multiple CIs.
Solutions Steps:-
1. Identify attributes to use
Make sure incoming events/alerts have:
* description (or message / short_description)
* location (might be a custom field, or from CI’s location)
* organization (could be a custom field or derived from CI ownership / company)
2. Configure Alert Aggregation Rules
ServiceNow EM supports alert aggregation out of the box:
* Go to Event Management → Correlation → Alert Aggregation Rules
* Create a new rule:
* Match on:
* Description (exact match or regex if needed)
* Location
* Organization
* Set Time window = 30 minutes
* Result:
* Events that would normally create multiple alerts instead create a single alert, or get added to the existing alert if it was opened in the last 30 minutes.
Aggregation works across multiple events that match the criteria, regardless of node.
3. If descriptions vary slightly
If the description isn’t exactly identical (e.g., "CPU high", "CPU utilization high"):
* Use regex / starts-with / contains in aggregation rule.
* Or use Event Rules to normalize descriptions first:
* Create an Event Rule before aggregation.
* Set description to a normalized value (e.g., “Resource High”) if original description matches certain keywords.
4. Optional: Correlation Processor (advanced)
If aggregation isn’t flexible enough:
* Write a custom correlation processor in script:
* Correlate alerts by custom logic (e.g., similar description keywords + location + org).
* Place it in:
* Event Management → Correlation → Correlation Processors
* Script can find matching alerts opened in last 30 min and group new events into them.
5. Dynamic CI Groups (for visualization)
If alerts belong to different nodes but should show as one group:
* Create Dynamic CI Groups (Event Management → Groups).
* Use similar criteria: location + organization + similar issue.
* Events bind to alerts; alerts bind to the group.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Thanks @AJ-TechTrek Ajay for the response. I am not getting this option "Go to Event Management → Correlation → Alert Aggregation Rules" even i have admin access to instance.
Regards,
Chandra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi @chandrakumar ,
Refer the attached below screenshot and reference SN Documents for this.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025