Health Log Analytics terminology
Before getting started with Health Log Analytics, it's important to familiarize yourself with some key concepts used in the application.
| Term | Description |
|---|---|
| Alert | A notification that HLA generates when it finds a statistically significant anomaly in metrics based on your system's log data, indicating a potential IT issue. HLA sends these alerts to Event Management, where you can see them in the All Alerts list. |
| Anomaly | Unusual or unexpected behavior in log data that differs from the baseline of normal behavior that HLA has learned from historical patterns. |
| Baseline | The statistical model of normal behavior of your system that HLA has learned from historical log data patterns. This baseline helps HLA identify anomalies. |
| Classification | A data type that determines how the HLA engine analyzes and processes a parsed log field. Available classifications are: Meter, Gauge, Histogram, Automatic Root Cause (ARC Only), Timeless Gauge, and Invalid. |
| Component | Representation of the smallest part of a service instance, typically a single micro service, module, or daemon. For example, a "checkout flow" service instance may include components such as cart-service, payment-service, and inventory-service. Every log or metric is assigned to a single component. This ensures that anomalies or incidents are attributed to that specific component. |
| Configuration Item (CI) | An individual item in your IT environment, such as a server, database, or application, that is tracked and managed in the Configuration Management Database (CMDB). |
| Configuration Management Database (CMDB) | The central database in ServiceNow that stores and manages information about all CIs and their relationships. This database provides HLA with the necessary context to correlate logs, anomalies, and alerts to specific services. |
| Correlation | The process of connecting related log events, anomalies, and alerts. By using factors like patterns and relationships defined in the CMDB service relationships, HLA identifies a shared root cause and reduces "noise." |
| Data input | A configurable connector that enables HLA to collect, transform, and ingest log data from external sources. Remarque : The term data input is used in HLA's classic interface (UI16) and back-end records. See also: Integration. |
| Data input mapping | The process of mapping raw log data to its specific log source, enabling HLA to connect logs to the corresponding service instance and component for analysis with full context. It also involves mapping your raw log data to source types so HLA can understand the format and structure of your logs. Remarque : The term data input is used in HLA's classic interface (UI16) and back-end records. See also: Integration. For a description of the simplified mapping interface in the new HLA UI, see: Log context mapping. |
| Detection algorithm | The statistical or machine-learning logic that HLA uses to analyze metrics and patterns to identify anomalous behavior. Examples include sigma-based detection, trend analysis, and comparing against a baseline. |
| Enrichment | The process of adding extra, contextual information to raw log data to make it more meaningful and actionable for analysis. Enrichment helps HLA connect technical events to their potential impact on your business. |
| Grouped alerts | A collection of related alerts that are combined into a single group to reduce noise and simplify triage. |
| Incident | A record created in ServiceNow when correlated alerts point to a significant disruption in a service, requiring investigation and resolution. |
| Integration | A configurable connector that establishes data pipelines so HLA can collect, transform, and ingest log data from external sources. Setup of integrations is done through the Integrations Launchpad, which significantly reduces implementation time
compared to manual data input setup. Remarque : The term integration is used in HLA's new UI experience and front-end records. See also: Data input. |
| Integrations Launchpad | A framework that provides integration setup workflows for connecting external log data sources to HLA. Setting up integrations through the Integrations Launchpad significantly reduces implementation time compared to manual data input setup. |
| Label | A semantic identifier assigned to common log properties, such as MESSAGE, HOST, TIMESTAMP, SEVERITY, and EVENT-ID. Labels tell HLA what role a parsed log field plays in the log structure. |
| Lexical keywords | Specific words found in log data, such as "crashed" or "failed," that can point to important issues. HLA tracks lexical keywords to detect widespread issues and long-forming trends. For more information, see: Add, edit, or delete lexical keywords in Health Log Analytics. |
| Log context mapping | The process of mapping your raw log data to the appropriate log source, enabling HLA to connect logs to their corresponding service instance and component for contextualized analysis. The user-friendly Log context mapping interface in the new HLA UI focuses only on the service context. It's simpler to use than Data input mapping in HLA's classic interface (UI16), which also includes source type configuration. See also: Data input mapping. |
| Log ingestion | The process of streaming of logs from servers and endpoints or log repositories to HLA, using data input connectors or integrations. |
| Log property | A structured data element, such as timestamp, severity, or error code, that is extracted from a log entry. |
| Log source | A logical representation of the source of the log data that HLA ingests. Each log source is defined by a service instance-component pair. HLA performs anomaly detection and generates alerts on issues within the scope of each individual log source. |
| Log Viewer | An interface within HLA that allows you to search, filter, and examine raw or parsed log data from multiple sources. The Log Viewer helps you investigate events and better understand your system's behavior. |
| Metric | A quantifiable measurement extracted from log data in HLA. HLA supports various generic metric types, such as METER (event count), GAUGE (numeric value), and HISTOGRAM (distribution bucket). It uses the extracted log data to automatically create message-pattern-based metrics (METER), severity metrics (METER), keyword metrics (METER), and raw log metrics (METER, GAUGE, and HISTOGRAM). Each metric is associated with a specific log source and monitored for anomalous behavior. |
| MID Server | An intermediary agent that facilitates secure communication between on-premise or private cloud log sources and the ServiceNow instance. It enables HLA to collect log data securely from environments that the instance can't access directly. |
| Parsing | The process of extracting meaningful, structured data fields from raw log entries. HLA uses its AutoParser and AutoExtraction capabilities to parse the logs, which then enables effective analysis, correlation, and visualization of the data. |
| Pattern | A recurring format found in log messages (free text fields within log records). HLA groups similar log messages that share this format into a pattern. It then monitors how often that pattern occurs to establish normal system behavior and detect anomalies. Remarque : HLA only performs pattern monitoring and anomaly detection on log properties labeled as MESSAGE. |
| Raw log data | The original, unprocessed log entries collected from external sources, which HLA ingests before parsing and analysis. |
| Root Cause Analysis (RCA) | An automated analysis that identifies meaningful factors, entities, and highlights that contributed to an alert or incident, helping to identify the underlying cause. |
| Service instance (formerly application service) | A logical grouping of Configuration Items (CIs), such as servers, databases, and applications, that collectively deliver a complete business service. In HLA, log data is correlated to service instances to provide a
comprehensive, real-time view of their operational health and performance. Remarque : A single service instance can consist of multiple CIs, whereas the same CIs might be part of multiple service instances. |
| Severity | A classification in HLA that indicates the level of impact or urgency of an alert. This helps operators prioritize which issues to investigate and resolve first. |
| Source type | A configuration profile for a log data type that determines how HLA interprets, parses, and extracts fields from logs of that format and prepares the data for processing. Think of it as telling HLA: "Here’s a specific type of log, and here’s how you should process it." |
| Source type structure | A template within a Source Type that defines the fields and their arrangement in logs of that specific type. The Source type structure ensures that HLA can consistently extract and understand the incoming data. Think of it as telling HLA: "This part of this log is the timestamp." "This part is the severity." "This part is the error code," and so on. |
| Tag | Metadata applied to logs, metrics, or alerts. Tags are used for categorization, filtering, and correlation. |
| Time series | A sequence of metric values recorded in chronological order over a period of time. This data is used to identify trends, seasonality, and anomalies. |
| Variable extraction | The process of identifying and extracting dynamic, user-defined fields from log messages to enable custom metrics and analytics in HLA. |