Viewing links between alerts in alert groups in Express List

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing links between alerts in alert groups in Express List

    This feature in ServiceNow Event Management enhances your ability to understand relationships between alerts grouped in the Express List by usingLink View. Link View visually represents how alerts within a group relate to each other by showing linked attributes and associated configuration items (CIs) or environment items. This visualization aids in rapid alert triage and impact analysis.

    Show full answer Show less

    Key Features

    • Visual Representation: Displays colored tags representing CIs and environment items linked to alerts in a group, helping you quickly discern relationships.
    • CMDB Integration: While Link View works without a populated Configuration Management Database (CMDB), having a CMDB enhances its value by revealing probable causes of alerts and the affected services.
    • Interactive Interface: Nodes representing alert attributes can be dragged to rearrange their positions for focused analysis; however, manual refresh is required to update the view.
    • Impact Visualization: Shows impacted services linked to alerts on CIs, enabling quick insight into service disruptions.
    • Stacked Nodes and Badges: Nodes aggregate multiple alerts sharing the same key-value pair, with badges indicating the number of alerts. Change badges highlight active change requests as probable alert causes.
    • Legend and Filtering: The Link View legend explains symbols and colors and allows toggling visibility of tag types to reduce noise.
    • Line Types: Solid lines indicate shared alerts between attributes; dotted lines indicate correlation through grouping criteria.
    • Tooltips: Hovering over nodes shows detailed information including tag name, class, severity, alert count, and alert role (primary, secondary, or probable cause).
    • Supported Alert Groups: Link View supports various alert group types such as tag-based, rules-based, CMDB-based, network traffic-based, log analytics-based, and mixed alert groups.

    Practical Benefits

    Using Link View in Express List helps ServiceNow customers quickly identify how alerts relate to each other and to underlying CIs and services. This improves root cause analysis, enables faster triage, and enhances service impact understanding. The visual and interactive nature of Link View reduces alert noise and complexity, allowing you to focus on critical alerts and probable causes, thereby optimizing your event management workflow.

    Gain a better understanding of the relationships between alerts in alert groups in the Express List by using Link View. Link View offers a visual representation of the relationships between the alerts in a group.

    When Event Management generates an alert group, Link View shows how the attributes of the alerts in the group are linked. The colored tags represent configuration items (CIs) and other environment items in relation to the alerts.

    The information shown in Link View is available without the need for a populated Configuration Management Database (CMDB). However, when the CMDB is populated, Link View offers additional value by providing the probable cause of the alerts and the service that the alert group impacts.

    Figure 1. Sample alert group in Link View
    Sample alert group in Link View.

    You can focus on your areas of interest by dragging the nodes in Link View to different positions. When you refresh an alert group, rearranged nodes appear in their original position again. Therefore, Link View is not refreshed automatically, but waits for you to do so manually.

    If an alert on a CI impacts a service in the Configuration Management Database (CMDB), Link View shows the impacted service, enabling you to view it at a glance for quick triage.

    A stacked node indicates that multiple nodes were mapped for the same tag. When the same key-value pair appears in more than one alert, the corresponding node is shown with a badge. For example, when the same key-value pair appears in two alerts, the badge on the node shows the number 2, as seen on the Payment tracker node in the sample alert group figure. When a node has no badge, the key-value pair appears in only one alert. An active change request, a probable cause of the alert, is marked by a Change badge.

    Figure 2. Node with a change badge
    Node with change badge.

    The Link View legend lists the meaning of the symbols and colors used and enables you to toggle between hiding and showing types of tags to reduce noise. In addition, the legend describes the meaning of the various lines linking the alert attributes. Attributes linked by a solid line share one or more alerts, whereas attributes linked by a dotted line are correlated by grouping criteria. For a description of each tag, see Attributes in Express List Link View. Hovering over a node displays a tooltip that includes the name of the tag, its class, its severity, the number of alerts in which it appeared, and whether the alert is primary or secondary or the probable cause of the alert, if applicable.

    Figure 3. Node tooltip
    Node tooltip with probable cause.
    Currently, Link View is supported for several alert groups. For more information, see the following topics: