Alert grouping types

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert grouping types

    Alert grouping in ServiceNow Event Management organizes alerts into clusters to simplify problem identification and management. Each alert can belong to only one alert group at a time. Users can view all alert groups underEvent Management > All Alerts, where a specific icon in the Group column indicates the alert group type. Alerts without a group will have no entry in this column. Double-clicking the Group column opens a dialog to view, add, or remove alerts from that group.

    Show full answer Show less

    Note that alert groups must be based on fields present in the emalerthistory table because impact calculation relies on this data. Fields like Event Count, Priority, and Priority Group are excluded from this table and thus cannot be used in alert grouping filters.

    Alert Grouping Types and Creation Methods

    • Log Analytics (Icon: L): Groups related Log Analytics alerts identified during event processing, clustering alerts based on meaningful connections. Created automatically during log analytics event processing.
    • Rule-based (Icon: R): Groups alerts according to alert correlation rules defined by business logic, organizing alerts based on their relationships. Created by business rules on the emalert table when alerts are created or updated.
    • Automated (Icon: A): Formed by aggregating alerts sharing the same CI type and metric name, creating a virtual primary alert for the group. Created via scheduled jobs.
    • CMDB-based (Icon: C): Groups alerts based on relationships between Configuration Items (CIs) in the CMDB, specifically for alerts not included in rule-based or automated groups. Created via scheduled jobs.
    • Text-based (Icon: T): Groups alerts that share similar text in fields such as Description, Metric Name, or CI Class. Created via scheduled jobs.
    • Tag cluster (Icon: Tag): Groups alerts according to user-defined tag-based clustering definitions. Created via scheduled jobs.
    • Manual (Icon: M): Alerts manually grouped by users to organize related issues. Created manually by users.

    Practical Considerations for Customers

    • Understanding the type of alert grouping helps in managing alerts efficiently and tailoring grouping methods to your organization’s needs.
    • Manual grouping allows flexibility for unique or ad-hoc scenarios, while automated and rule-based groups support scaling and consistency.
    • Be cautious when creating filters for alert groups to ensure they rely on supported fields for impact calculation.
    • Scheduled jobs handle the creation of most automated group types, so managing these jobs and their parameters is essential for controlling alert grouping behavior.

    Alerts are grouped into various types to streamline problem identification and management. An alert can belong to only one alert group at a time.

    Watch this brief video to learn about alert grouping and how it organizes alerts into clusters based on specific criteria.

    You can view all alert groups by navigating to Event Management > All Alerts, where the icon in the Group column denotes the alert group type. Alerts not associated with any group will not have an entry in the Group column. Double-click the Group column for an alert group to open the Grouped Alerts dialog box, where you can display all alerts in the group and manually add or remove alerts.

    Note:
    The filter that defines alert groups must not be on fields that do not appear in the [em_alert_history] table because impact calculation is not a calculated property. This situation occurs because fields like Event Count, Priority, and Priority Group are not copied to the [em_alert_history] table for impact calculation.
    Table 1. Alert grouping types
    Type Icon Description Creation method Additional information
    Log Analytics L Log Analytics groups are formed when the system identifies multiple related Log Analytics alerts, grouping them based on their significant connections. Created as part of log analytics event processing. Kinds of Health Log Analytics alerts
    Rule-based R Rule-based groups consist of related alerts that are organized based on compliance with alert correlation rules, which determine how alerts are grouped according to their relationships. Created via business rule (Calculate correlation rule) on em_alert table when alert is created or updated. Create an alert correlation rule
    Automated A Automated groups are formed by alert aggregation and include a virtual alert as the primary alert of the group. An Aggregated automated group is created when two or more alerts share the same CI type and metric name. Created via scheduled job. Automated alert grouping
    CMDB-based C CMDB-based groups are formed based on CI relationships in the CMDB, specifically for CIs that are not included in rule-based or automated groups. Created via scheduled job. CMDB based alert grouping
    Text-based T Text-based groups are formed by grouping alerts based on similar text from frequently used words in following fields.
    • Description
    • Metric Name
    • CI Class
    		 Created via scheduled job. N/A
    Tag cluster Tag Tag cluster groups are formed by grouping alerts according to user-defined tag-based alert clustering definitions. Created via scheduled job. Tag cluster alert grouping
    Manual M Alerts grouped manually by users to organize related issues. Created manually by the user. Create alert group manually

    For information on scheduled jobs and parameters, refer to Scheduled jobs and parameters for alert grouping. For detailed information on configuring alert correlation logic order, see Configure alert correlation logic order.