Hi @chandrakumar ,

As per my understanding Solution Overview will be :-

You want:
* All alerts with the same/similar description
* And matching location + organization
* That arrive within a 30-minute time window
To be grouped together into a single alert or into the same group.
This is a perfect use case for:
* Alert Aggregation Rules or
* Custom Correlation Processor (using Correlation Scripts)
* Optionally: dynamic CI grouping if you have multiple CIs.

Solutions Steps:-

1. Identify attributes to use
Make sure incoming events/alerts have:
* description (or message / short_description)
* location (might be a custom field, or from CI’s location)
* organization (could be a custom field or derived from CI ownership / company)

2. Configure Alert Aggregation Rules
ServiceNow EM supports alert aggregation out of the box:
* Go to Event Management → Correlation → Alert Aggregation Rules
* Create a new rule:
* Match on:
* Description (exact match or regex if needed)
* Location
* Organization
* Set Time window = 30 minutes
* Result:
* Events that would normally create multiple alerts instead create a single alert, or get added to the existing alert if it was opened in the last 30 minutes.
Aggregation works across multiple events that match the criteria, regardless of node.

3. If descriptions vary slightly
If the description isn’t exactly identical (e.g., "CPU high", "CPU utilization high"):
* Use regex / starts-with / contains in aggregation rule.
* Or use Event Rules to normalize descriptions first:
* Create an Event Rule before aggregation.
* Set description to a normalized value (e.g., “Resource High”) if original description matches certain keywords.

4. Optional: Correlation Processor (advanced)
If aggregation isn’t flexible enough:
* Write a custom correlation processor in script:
* Correlate alerts by custom logic (e.g., similar description keywords + location + org).
* Place it in:
* Event Management → Correlation → Correlation Processors
* Script can find matching alerts opened in last 30 min and group new events into them.

5. Dynamic CI Groups (for visualization)
If alerts belong to different nodes but should show as one group:
* Create Dynamic CI Groups (Event Management → Groups).
* Use similar criteria: location + organization + similar issue.
* Events bind to alerts; alerts bind to the group.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025