Event Management

csatish
Giga Contributor

15 hours ago

Hello Folks,
Can anyone guide me on what is correlation rules in event management? And, how does event will come into em_event table via MID Server/API Integration. What are the configuration we have to perform in the Monitoring tool side & Servicenow side for event ingestions?
Thanks

Labels:
0 Helpfuls
  • 764 Views
4 REPLIES 4

SIVASANKARIS
Mega Guru

10 hours ago

Hi @csatish ,

In ServiceNow Event Management, correlation rules are used to:

Group related alerts or events together and reduce noise. So instead of creating multiple incidents for the same issue, they help create one meaningful alert or incident.

Without correlation:

  • One server issue → 50 alerts

  • Each alert → separate incident

With correlation:

  • All related alerts → 1 primary alert

Events via MidServer:

Events come into the em_event table either through a MID Server or via API integration. When a monitoring tool is inside a customer network, it sends the event to the MID Server first. The MID Server forwards this message to ServiceNow through the ECC Queue, where Event Management processes it and creates a record in the em_event table. From there, correlation and alert rules are applied, and alerts are generated.

 

Events via MidServer

In API-based integration, the monitoring tool directly calls ServiceNow’s Event Management REST API endpoint, and ServiceNow validates the payload and inserts the event into the em_event table. In both cases, once the event is created, it goes through deduplication, correlation, and alert creation processes.

 

You can refer the below articles..

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/event-management...

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/event-management...

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/24-3/in...

 

If you find these useful, please mark it as helpful and Accept my solution....

 

csatish
Giga Contributor
In response to SIVASANKARIS

6 hours ago

Hello @SIVASANKARIS ,

Thank you for providing the information, Just want to understand in MID server how does it pull events into Event table?
Thanks

0 Helpfuls

vaishali231
Tera Expert

8 hours ago

What are Correlation Rules in Event Management

Correlation rules in ServiceNow Event Management are used to group multiple related events into a single alert.
This helps reduce noise and avoids creating multiple incidents for the same underlying issue.

 

vaishali231_1-1768063071030.png

Correlation Rule Script

(function correlate(current, previous) {

  if (current.node == previous.node &&
      current.source == previous.source) {
    return true;
  }

  return false;

})(current, previous);

Example:
If a server goes down, monitoring tools may send multiple events like CPU, memory, disk, and ping failures.
Correlation rules identify that these events belong to the same CI and group them into one alert.

Correlation is applied after events are created in the em_event table and before or during alert creation in em_alert.

vaishali231_0-1768062939881.png

 

How events come into the em_event table

Events can enter ServiceNow in two common ways.

1. MID Server based integration

Monitoring tools like SCOM, SolarWinds, Nagios, etc., send events to a MID Server.
The MID Server forwards the data to ServiceNow through the ECC Queue.
ServiceNow processes the payload and inserts records into the em_event table.

Flow:
Monitoring Tool → MID Server → ECC Queue → em_event

2. REST API based integration

External monitoring tools can directly send events using the Event Management REST API.

API endpoint:

POST /api/global/em/jsonv2


Sample payload:

{
"source": "Nagios",
"node": "linux-server-01",
"type": "CPU",
"severity": "2",
"description": "CPU usage crossed threshold"
}


Each record in the payload creates one entry in the em_event table.

 

Configuration on Monitoring Tool side

 

On the monitoring tool side, you usually configure:
Event forwarding or webhook setup
ServiceNow endpoint or MID Server details
Authentication credentials
Event payload fields such as source, node, severity, metric, description

The goal is to send clean and meaningful events.

Configuration on ServiceNow side

On the ServiceNow side, you need:
Event Management plugin enabled
MID Server configured (if using agent based integration)
Event Rules to map incoming events to alerts
Correlation Rules to group related events
CI mapping to link events to CMDB
Alert Management Rules to create incidents or notifications

 

Simple Correlation Rule example

 

Correlation based on same source and node within a time window.

 

Logic:
If multiple events come from the same source and node within 5 minutes, correlate them into one alert.

What happens after event ingestion

Event inserted into em_event
Event Rules evaluated
Correlation Rules applied
Alert created or updated in em_alert
Incident created if configured


*************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.

Regards
Vaishali Singh

0 Helpfuls

csatish
Giga Contributor

6 hours ago

Hello @vaishali231 ,

Thank you so much for the detailed information, And Also could you please help me understand if I want to get alerts from Solarwinds Monitoring tool. What kind of configuration we have to configure?
Thanks

0 Helpfuls