Automated alert grouping

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated alert grouping

    Automated alert grouping in ServiceNow uses machine learning and historical data to automatically organize similar alerts into meaningful groups. These alerts often relate to system issues such as server errors or network outages. Grouping related alerts helps your teams identify recurring problems, reduce alert noise, and respond more efficiently by focusing on the underlying root causes rather than individual alerts.

    Show full answer Show less

    The grouped alerts are displayed in the Express List within the Service Operations Workspace, providing a consolidated view for faster decision making.

    How to Enable Automated Alert Grouping

    To activate machine learning-based alert correlation, set the property Enable ML based Automation correlation (saanalytics.specificpatternsenabled) to true. If domain support is enabled via the Domain Support - Domain Extensions Installer, grouping respects domain levels configured by the saanalytics.agg.learnerdomainlevel property.

    By default, this domain level is set to two, which typically corresponds to organizational units such as departments or teams. This allows alerts to be grouped contextually, for example by department, enhancing relevance for your operations teams.

    How It Works

    • Analyze Historical Data: The system studies past alerts to uncover patterns and relationships.
    • Apply Machine Learning: ML algorithms identify recurring patterns among alerts based on key characteristics such as issue type, affected system, or configuration items.
    • Group Similar Alerts: Alerts matching identified patterns are automatically grouped together.

    This process is akin to recognizing multiple traffic alerts related to the same incident on a specific street and grouping them to streamline response efforts.

    Benefits for ServiceNow Customers

    • Identify Recurring Issues: Quickly detect patterns indicative of ongoing problems like repeated server overheating.
    • Save Time: Manage groups of related alerts instead of addressing each alert individually.
    • Improve Response Efficiency: Concentrate on resolving the root cause rather than scattered symptoms, improving overall incident management.

    Automated alert grouping is a process that uses historical data to automatically organize similar alerts into groups. These alerts could be system issues, like server errors or network outages. By grouping related alerts together, it helps teams quickly identify patterns, manage recurring problems, and reduce the noise from too many individual alerts.

    Imagine you’re monitoring a city’s traffic system. You get a lot of alerts—like reports of accidents, traffic jams, and road closures. Automated alert grouping works like a smart assistant that organizes these alerts based on patterns, so you can see related issues together and respond more efficiently. These automated alert groups are displayed in the Express List within the Service Operations Workspace.

    How do you enable this grouping

    To enable machine learning-based automation for alert correlation, set the property Enable ML based Automation correlation (sa_analytics.specific_patterns_enabled) to true.

    If the Domain Support - Domain Extensions Installer is activated, alert aggregation patterns are created based on the domain level defined in the sa_analytics.agg.learner_domain_level property. By default, this domain level is set to two, which corresponds to the second level in the domain hierarchy. For example, in a company, Level 1 might represent the company itself, while Level 2 could represent departments or teams within the company. Alerts are grouped based on this second level, like sorting them by department or team. For more details, Domain separation and Event Management.

    How does it work

    Automated alert grouping uses machine learning (ML) and historical data to identify patterns among alerts. It looks at specific characteristics, called pattern identifiers—such as the type of issue, the affected system, CI or metric that happened multiple times within a similar time period—to determine if alerts are related. The Alert Aggregation Learner uses algorithms to group alerts based on patterns. Specifically, it uses pattern-based algorithms and probabilistic methods to analyze incoming alerts and identify related ones.

    Think of it like noticing that accidents often happen at a particular intersection at rush hour. The system groups similar alerts (like recurring traffic jams at the same spot) together based on certain identifiers (like location or type of problem). The system follows these key steps to group alerts effectively:
    • Analyze Historical Data: The system studies past alerts to learn patterns and relationships.
    • Apply Machine Learning: ML algorithms analyze historical alert data to identify patterns and relationships among alerts. It enables the system to learn from past incidents and improve its ability to group similar alerts together over time.
    • Group Similar Alerts: Alerts with matching patterns are automatically grouped together.
    Imagine you're managing a city's traffic system, and you receive multiple alerts:
    • 8:00 AM: Accident on Main Street
    • 8:05 AM: Traffic jam near Main Street
    • 8:10 AM: Road closure on Main Street
    Automated alert grouping works like a smart assistant by analyzing these alerts and recognizing a pattern. It groups them together because they all relate to Main Street, likely stemming from the same accident. This helps you see the bigger picture quickly and focus on resolving the root cause (the accident), rather than addressing each alert separately.

    Benefits

    • Find Recurring Issues: Quickly spot patterns (like a server consistently overheating).
    • Save Time: Handle groups of related alerts instead of individual ones.
    • Improve Response: Focus on fixing the root cause rather than dealing with scattered issues.