Hi @Tetsuya3 ,

That you’re seeing is expected default behavior — when an alert in a grouped alert set is updated to Severity = Clear, Event Management’s correlation engine closes or removes that alert from the group.

This can cause the group to break apart if the correlation conditions are no longer met.

As per my understanding Why Grouping Breaks When Severity = Clear

* Alert correlation in ServiceNow is state-aware.
* When one or more grouped alerts are cleared, Event Management:
1. Removes the cleared alert from the group.
2. Re-evaluates grouping rules for the remaining alerts.
* If the cleared alert was the parent alert (or had key correlation attributes), ServiceNow may:
* Break the group
* Reassign child alerts to separate parent alerts or leave them as standalone
* This is by design so that "closed" or "resolved" conditions don't keep unrelated alerts artificially grouped.

Possible Solutions
1. Adjust Your Correlation Rule Scope
* Review your Alert Correlation Rule in:
Event Management → Rules → Alert Correlation Rules
* If your correlation depends on fields like Severity, avoid including severity in the Group By criteria.
This way, severity changes won't cause grouping recalculations.
* Instead, group on stable identifiers like:
* Node (cmdb_ci)
* Resource
* Message key
* Source

2. Use a "Soft Clear" Instead of Hard Clear
* Instead of setting severity to "Clear" directly from the event feed:
* Map "Clear" events to close the alert after a delay (e.g., 5–10 minutes).
* This avoids immediate regrouping recalculation and lets related alerts finish processing together.

3. Make the Parent Alert Sticky
* If your correlation rule always uses the earliest/highest-priority alert as parent, a clear event on a child alert won't impact grouping.
* This requires setting:
* "Always select same parent for matching alerts" in the correlation rule.
* A fixed parent selection method like "Highest priority".

Recommended

Approach
If your operational requirement is to keep all related alerts grouped even after one is cleared, the cleanest way is:
1. Remove Severity from the Group By criteria in your correlation rule.
2. Use correlation script logic to maintain the parent ID for clears.
3. Optionally delay closure handling for “Clear” events to avoid premature group breakup.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025