List of predefined tag-based alert grouping definitions

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of List of predefined tag-based alert grouping definitions

    The Tag Based Alert Clustering Engine application in ServiceNow provides a set of predefined alert grouping definitions. These definitions automatically cluster alerts based on shared tag attributes and a creation time window of the last 10 minutes. This grouping helps customers efficiently manage and correlate alerts by common characteristics, reducing noise and streamlining incident handling.

    Show full answer Show less

    Key Features

    • Application-based grouping: Alerts from the same application are grouped together (default active in new systems).
    • IP Address grouping: Alerts sharing the same IP address are clustered.
    • Namespace and Subnet grouping: Alerts with the same namespace or subnet are grouped (namespace and subnet grouping are default active in new systems).
    • CI Class and Location grouping: Alerts are clustered by Configuration Item (CI) class and physical location.
    • Application and Environment grouping: Alerts from the same application and environment are grouped.
    • Node-based grouping: Alerts from the same or similar nodes are grouped (default active for exact node name matches in new systems).
    • Location and Assignment group grouping: Alerts sharing the same location and assignment group are clustered.
    • Region, Metric, and Type-based grouping: Alerts are grouped by combinations such as region and metric, CI class and metric, node and metric, assignment group and class, or type, metric, and source instance.
    • CI and Node grouping: Alerts from the same Configuration Item or node are grouped. Note: When the CI grouping rule is active, CMDB-based grouping must be disabled to avoid conflicts.

    Practical Impact

    By leveraging these predefined tag-based alert grouping definitions, ServiceNow customers can:

    • Improve alert triage by correlating related alerts based on various IT infrastructure attributes.
    • Reduce alert fatigue by consolidating alerts that are likely caused by the same underlying issue.
    • Customize alert clustering strategies based on organizational needs and environments.
    • Ensure efficient alert management when integrated with CMDB by managing rule conflicts.

    A list of the predefined alert clustering definitions provided with the Tag Based Alert Clustering Engine  application.

    Table 1. Predefined alert clustering definitions
    Name Description Order
    Group alerts from the same Application Group all alerts from the same application, created in the last 10 minutes. In new systems, this definition is activated by default. 9010
    Group all alerts from the same IP address Group all alerts from the same IP address, created in the last 10 minutes. 9020
    Group all alerts from the same Namespace Group all alerts from the same namespace, created in the last 10 minutes. In new systems, this definition is activated by default. 9030
    Group all alerts from the same Subnet Group all alerts from the same subnet, created in the last 10 minutes. In new systems, this definition is activated by default. 9040
    Group alerts from the same CI class and Location Group all alerts from the same CI class and location, created in the last 10 minutes. 9050
    Group alerts from the same Application and Environment Group all alerts from the same application and environment, created in the last 10 minutes. 9060
    Group all alerts from a similar Node Group all alerts from a similar node name, created in the last 10 minutes. 9070
    Group alerts from the same Location and Assignment group Group all alerts from the same location and assignment group, created in the last 10 minutes. 9080
    Group alerts from the same Region and Metric Group all alerts from the same region and metric, created in the last 10 minutes. 9090
    Group alerts from the same CI class and Metric Group all alerts from the same CI class and metric, created in the last 10 minutes. 9100
    Group alerts from the same Node and Metric Group all alerts from the same node and metric, created in the last 10 minutes. 9110
    Group alerts from the same Assignment group and Class Group all alerts from the same assignment group and class, created in the last 10 minutes. 9120
    Group alerts from the same Type, Metric and Source Group all alerts from the same type, metric, and source instance, created in the last 10 minutes. 9130
    Group alerts from the same CI Group all alerts from the same CI, created in the last 10 minutes.
    Important:
    When this rule is active, CMDB grouping must be disabled.
    		 9140
    Group alerts from the same Node Group all alerts from the same node, created in the last 10 minutes. In new systems, this rule is activated by default. 9150