Refine the source type structure in Health Log Analytics

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 8 minutes de lecture

    • Fine-tune how Health Log Analytics reads your inner log messages and detects anomalies by customizing the extracted properties in the source type structure.

    Avant de commencer

    Role required: evt_mgmt_admin

    Procédure

    1. Navigate to All > Health Log Analytics > Data Inputs > Source Type Structure.
    2. Open a record.
      Remarque :
      • Health Log Analytics automatically separates the transport header from the inner log message when Auto extraction is selected (default).
      • Health Log Analytics fetches log samples automatically the first time the Source Type Structure form displays. In subsequent sessions, fetch the latest samples by selecting Refresh Samples.
    3. Facultatif : Get AI-powered classification and labeling suggestions.
      AI can classify parsed log properties and suggest appropriate labels.
      1. Select Suggest classifications (AI) from the Source Type Structure page.

        On the Key/Value Mapping tab, AI-suggested classifications and labels appear in the AI-suggested classification and AI-suggested label columns.

      2. Review the suggestions.
      3. In the Classification and Labels to assign columns, select your preferred classifications and labels from the lists.
    4. Facultatif : View how the current JavaScript function affects the log lines.
      1. Add a sample message in the Test manual sample field.
      2. Select Go.
      3. In the Key/Value Mapping tab, note how the JavaScript function affects the log lines.
    5. In the Raw input sample field, choose a log message.

      When you test your JavaScript function, Health Log Analytics uses this sample message to show the joint effect of automatic extraction and the JavaScript function on the log lines.

      The following fields are read only:
      Field Description
      Duration (ms) The processing time of all samples, in milliseconds.
      Dropped The total number of logs dropped in all the samples.
      Errors The total number of errors that occurred in all the samples.
      Timestamp extraction failures The number of timestamp extraction failures that occurred in all the samples.
      Severity extraction failures The total number of severity extraction failures that occurred in all the samples.
      Message extraction failures The total number of message extraction failures that occurred in all the samples.
      Lengthy properties The total number of lengthy properties in all the samples.
      Lengthy properties are properties with more than 256 characters.
      Remarque :
      Because Health Log Analytics doesn't extract such properties, they aren’t indexed as keywords in Elasticsearch.
    6. Define a JavaScript function that customizes automatically extracted properties or adds properties to the source type structure.
      1. In the JavaScript console, either change the provided default JavaScript function, modify an existing custom JavaScript function, or define a new one.
        Remarque :
        In addition to the default JavaScript function, Health Log Analytics provides several JS function templates for refining the source type structure. The templates can act as a starting point for your custom script code. This feature is supported in the Health Log Analytics application, Version 20.0.11 - July 2021, available from the ServiceNow Store.
        JS function templates Description
        Extract Key_Values Using Regex

        Script used for parsing logs into a series of key:value pairs by using regular expressions to identify specific regex patterns. Depending on the log data being sent to the source type, it parses either the inner message or the full log line. You can view how the data appears in the samples that are loaded into the source type structure.

        This process is iterative. It ’s repeated until all key:value pairs are found.
        Extract Key_Values Using split-regex

        Script used for parsing logs into a series of key:value pairs by using regular expressions to identify specific regex patterns. This process captures the values in a LIST form first, then uses the Java split function to create the key:value pairs.

        Depending on how the data appears in the raw input, this function might be more efficient than Extract Key_Values Using Regex. The raw input is either the inner message that header detection passes on, or the full raw log. If header detection is turned off or doesn't work on that particular log, the full raw log is used.
        JSON Parse - flatten Script used for extracting JSON information that is part of another text string from the raw input. For example, the information could be a JSON request written as part of a longer inner message.

        Inner JSON sections are difficult to split. In such cases, this script can be used to "flatten" or parse out the key:value pairs.
        Extract a new field from raw input Script that extracts a new field from the raw input, using a regular expression with capture groups to identify the new field's pattern.
        Parse XML format Script used for extracting key:value pairs from the XML by using a regular expression to identify the XML format.

        This process is iterative. It's repeated until all key:value pairs are found.
        Set numerical severity level as textual values Script used for converting numerical severity values to their corresponding textual severity values.
        Remarque :
        To enable the system to identify the severity level of a log correctly, severity must be given in text format. No numerical severity values should remain.
        Trim function Script used for removing the double quotes that surround the string from VALUE.

        You can adapt this function to remove any other characters that surround the output VALUE of a key:value pair.
        The JavaScript function for refining the source type structure uses the following objects:
        Tableau 1. Signature - function construct (sample, output)
        Object Description
        sample The inner message extracted from the sample message.
        output Object that contains the key-value pair map.
      2. Test the JavaScript function by selecting Test.
      3. View the outcome of the JavaScript function in the related lists and modify if needed.
        • The Key/Value Mapping tab shows the effect of your JavaScript function combined with the system's automatic extraction on your raw input sample.

          Modify keys where appropriate.

          • The Classification field enables you to reset the classification of a property. The available types are:
            Tableau 2. Classification
            Type Description Example
            Meter A property with this classification detects anomalies in the number of times the property appears in each log message. It presents changes in the quantity of this value as part of Automatic Root Cause analysis.
            Remarque :
            Properties classified as Meter consume resources.
            		 Status codes, response codes, actions, or patterns
            Gauge A property with this classification detects anomalies in a numerical value that is reported continuously.
            Remarque :
            Properties with a classification of Gauge consume resources.
            		 CPU, memory, or response time
            Timeless Gauge A property with this classification detects anomalies in a numerical value that is not reported continuously. The system notifies about an anomaly in this value regardless when the anomaly occurred.
            Remarque :
            This feature is supported in the Health Log Analytics application, Version 20.0.11 - July 2021, available from the ServiceNow Store.
            Automatic Root Cause (ARC Only) A property with this classification reports the property as part of the Automatic Root Cause analysis of another anomaly and not as an anomaly by itself. User name, IP addresses, application components, or datacenter
            Invalid A property with this classification isn’t calculated or shown in the Automatic Root Cause analysis.
            Remarque :
            Properties classified as Invalid save resources.
          • The Labels to assign field enables you to set a property on a label.
            Tableau 3. Labels to assign
            Label Description
            Timestamp The property that holds the timestamp of the event.
            Remarque :
            If automatic header properties detection is enabled and the source type lacks a timestamp, the system extracts the timestamp from the transport header. If header detection is turned off or doesn't work for the relevant log lines in the data input, all log lines must have proper timestamps.
            Severity The property that represents the severity level of the log.
            Message The log message. The system uses this property to identify textual patterns in the data.
            Host The property that represents the host from which the event was sent.
            Remarque :
            If automatic header properties detection is enabled and the source type lacks a host, the system extracts the host from the transport header. If header detection is turned off or doesn't work for the relevant log lines in the data input, all log lines must have a host.
            External ID The property that serves as a unique identifier for this event type. For example, Event ID in Windows event log.
          • The Rename key field enables you to rename the key.
        • The Outcome Key-Value tab shows how your JavaScript function processed the data.
        • The Data Input Mappings tab shows the data input mappings for the current source type.

          The Last event time column on this tab shows the last date and time that the AI engine processed a log for the data input mapping. The system refreshes this information every five minutes. Knowing when the last log was processed for this data input mapping makes it easier to verify that log data is streaming.

        • The remaining tabs show errors, message extraction failures, severity extraction failures, timestamp extraction failures, and lengthy properties.
        Remarque :
        If your new JavaScript function isn’t behaving as expected, you can revert to the last published one by selecting the Revert JS Function related link.
      4. Facultatif : Make any necessary adjustments and then test the JavaScript function again.
    7. Select the Save template option to save the JavaScript function.
      You can either save the JavaScript function as a new template or overwrite the currently selected template.
      • To save the JavaScript function as a new template, enter a new name in the Template name field.
      • To overwrite the template currently selected in the JS function templates field, leave the Template name field empty.
    8. Select Publish to save the JavaScript function to the database.

    Résultats

    When the JavaScript function is published, Health Log Analytics uses it to fine-tune how it reads your inner log messages and detects anomalies.

    The new script is automatically added to the list of JS function templates from which you can choose. This feature is supported in the Health Log Analytics application, Version 20.0.11 - July 2021, available from the ServiceNow Store.

    Que faire ensuite

    Continue with the remaining data input setup tasks: Verify that all your log sources are present and active, and add timestamp formats if necessary.