Scheduled jobs and parameters for alert grouping

  • Release version: Washingtondc
  • Updated August 7, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Scheduled jobs and parameters for alert grouping

    This content details how to automate the organization of alerts in ServiceNow by configuring scheduled jobs that group alerts based on specific criteria. The primary job,Service Analytics group alerts using RCA/Alert Aggregation, is typically executed once per minute to manage alert grouping effectively.

    Show full answer Show less

    Key Features

    • Alert Grouping Automation: The parameter saanalytics.aggregationenabled enables automated alert grouping, which can be activated for Automated, CMDB, and Text-Based groups.
    • Time Parameters:
      • saanalytics.agg.querydynamicwindow: Default is 10 minutes, defining the maximum time gap for grouping alerts.
      • saanalytics.agg.querymaxgrouplifetime: Sets a maximum grouping period of 30 minutes from the first alert generation.
      • saanalytics.agg.groupexpirationtime: Used to extend grouping time beyond the 30-minute limit if needed.
    • Parallel Job Execution: Multiple scheduled jobs can run simultaneously to efficiently manage alert grouping and reduce system strain during high alert volumes.
    • Customizable Correlation Logic: Users can adjust the correlation logic order to prioritize alerts based on specific requirements.
    • Filtering Alerts: Filters can be applied to include only relevant alerts in the grouped sets, minimizing alert noise.

    Key Outcomes

    By configuring these scheduled jobs and parameters, ServiceNow customers can enhance their alert management process, streamline operations, and improve response times. This setup helps reduce alert noise and ensures that alerts are grouped effectively based on predefined criteria.

    Automate alert organization by configuring jobs to group alerts based on predefined criteria and parameters.

    To group alerts in Automatic, CMDB, Text-Based, and Tag-Cluster groups, the scheduled job named Service Analytics group alerts using RCA/Alert Aggregation is typically run once per minute. This job handles the grouping of alerts based on the specified method. Additionally, you can run multiple scheduled jobs in parallel to manage alert grouping more efficiently. For further details, see Run multiple scheduled jobs for alert grouping.

    To define which alerts are grouped, the following parameters are used:
    • sa_analytics.aggregation_enabled: This parameter enables automated alert grouping. Set the property Enable alert aggregation for Automated, CMDB, and Text-Based groups to true to activate this feature.
      Note:
      This property also applies to Tag Cluster grouping.
    • sa_analytics.agg.query_dynamic_window: By default, this is set to 10 minutes (600 seconds). It defines the maximum time difference allowed between the last event generation times of two alerts that can be grouped together.
    • sa_analytics.agg.query_max_group_lifetime: This parameter specifies the maximum time period from the generation of the first alert to the last alert in a group, with a default of 30 minutes (1800 seconds). If events arrive with a delay exceeding this period, the sa_analytics.agg.group_expiration_time parameter can be used to extend the grouping time beyond 30 minutes.
    Note:
    Some parameters, such as sa_analytics.agg.query_dynamic_window, sa_analytics.agg.query_max_group_lifetime, and sa_analytics.agg.group_expiration_time, are not provided out of the box. To use these properties, you need to create properties with the same names and assign the required values to them. For more information on how to create a property, see Add a system property.

    Example: How alerts are grouped

    For tag-cluster grouping, alerts are added to a group based on the timeframe parameter defined in the alert tag clustering settings. For automated, CMDB, and text-based, alerts are aggregated as follows.

    Consider the following alerts with the same CI. (All of them may be added to the same CMDB group).
    • Alert1: Initial event generation at 01:00:00 AM
    • Alert2: Initial event generation at 01:11:00 AM
    • Alert3: Initial event generation at 01:13:00 AM
    • Alert4: Initial event generation at 01:16:00 AM
    • Alert5: Initial event generation at 01:25:00 AM
    • Alert6: Initial event generation at 01:34:00 AM
    • Alert7: Initial event generation at 01:43:00 AM
    Alert1 and Alert2 are not grouped due to the time gap exceeding 10 minutes. Alert2 and Alert3 create a group at 01:13:00 AM. The 10-minute dynamic window starts at 01:13:00 AM, with the following:
    • Alert4 is added to the group at 01:16:00 AM, restarting the 10-minute window.
    • Alert5 and Alert6 are added to the group as their event times are within the 10-minute window.
    • Alert7 is not added to the group because it arrives 9 minutes after Alert6, exceeding the sa_analytics.agg.query_max_group_lifetime limit of 30-minute maximum group lifetime from the initial group creation (01:13:00 AM + 30 minutes = 01:43:00 AM).