Event/Alert correlation based on alert description

chandrakumar
Tera Contributor

Hello All,

I have a requirement to correlate or group events/alerts based on their descriptions, provided they originate from the same location and organization.

For example, alerts with descriptions such as "device down", "CPU high", or "memory high" should be grouped together if they are from the same location and organization for the duration of 30 min, regardless of the node name.

Could someone please advise on how this can be implemented?

1 ACCEPTED SOLUTION

Hi @chandrakumar ,

 

Refer the attached below screenshot and reference SN Documents for this.

 

Screenshot 2025-08-12 at 4.54.23 PM.pngScreenshot 2025-08-12 at 4.55.18 PM.png

 

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/event-management...

 

https://www.servicenow.com/docs/bundle/washingtondc-it-operations-management/page/product/event-mana...

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

View solution in original post

5 REPLIES 5

chandrakumar
Tera Contributor

can someone provide the solution for this please.

AJ-TechTrek
Giga Sage
Giga Sage

Hi @chandrakumar ,

 

As per my understanding Solution Overview will be :-


You want:
* All alerts with the same/similar description
* And matching location + organization
* That arrive within a 30-minute time window
To be grouped together into a single alert or into the same group.
This is a perfect use case for:
* Alert Aggregation Rules or
* Custom Correlation Processor (using Correlation Scripts)
* Optionally: dynamic CI grouping if you have multiple CIs.

 

Solutions Steps:-


1. Identify attributes to use
Make sure incoming events/alerts have:
* description (or message / short_description)
* location (might be a custom field, or from CI’s location)
* organization (could be a custom field or derived from CI ownership / company)

 

2. Configure Alert Aggregation Rules
ServiceNow EM supports alert aggregation out of the box:
* Go to Event Management → Correlation → Alert Aggregation Rules
* Create a new rule:
* Match on:
* Description (exact match or regex if needed)
* Location
* Organization
* Set Time window = 30 minutes
* Result:
* Events that would normally create multiple alerts instead create a single alert, or get added to the existing alert if it was opened in the last 30 minutes.
Aggregation works across multiple events that match the criteria, regardless of node.

 

3. If descriptions vary slightly
If the description isn’t exactly identical (e.g., "CPU high", "CPU utilization high"):
* Use regex / starts-with / contains in aggregation rule.
* Or use Event Rules to normalize descriptions first:
* Create an Event Rule before aggregation.
* Set description to a normalized value (e.g., “Resource High”) if original description matches certain keywords.

 

4. Optional: Correlation Processor (advanced)
If aggregation isn’t flexible enough:
* Write a custom correlation processor in script:
* Correlate alerts by custom logic (e.g., similar description keywords + location + org).
* Place it in:
* Event Management → Correlation → Correlation Processors
* Script can find matching alerts opened in last 30 min and group new events into them.

 

5. Dynamic CI Groups (for visualization)
If alerts belong to different nodes but should show as one group:
* Create Dynamic CI Groups (Event Management → Groups).
* Use similar criteria: location + organization + similar issue.
* Events bind to alerts; alerts bind to the group.

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025

Thanks @AJ-TechTrek  Ajay for the response. I am not getting this option "Go to Event Management → Correlation → Alert Aggregation Rules" even i have admin access to instance.

 

Regards,

Chandra

Hi @chandrakumar ,

 

Refer the attached below screenshot and reference SN Documents for this.

 

Screenshot 2025-08-12 at 4.54.23 PM.pngScreenshot 2025-08-12 at 4.55.18 PM.png

 

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/event-management...

 

https://www.servicenow.com/docs/bundle/washingtondc-it-operations-management/page/product/event-mana...

 

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025