Alert grouping types and creation methods

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Alert grouping types and creation methods

    This guide helps ServiceNow customers understand various alert grouping types and their creation methods within Event Management. Effective alert grouping enhances problem identification and streamlines alert management by organizing related alerts into manageable groups.

    Show full answer Show less

    Viewing and Managing Alert Groups

    • Access all alert groups via Event Management > All Alerts.
    • The Group column shows icons indicating the alert group type; ungrouped alerts have no entry.
    • Double-clicking the Group column opens the Grouped Alerts dialog to view, manually add, or remove alerts within a group.
    • Each alert can belong to only one alert group at a time.

    Types of Alert Grouping

    Alerts are grouped using various methods, each with distinct creation mechanisms and use cases:

    • Log Analytics (Icon: L): Groups related Log Analytics alerts identified through event processing, based on significant connections.
    • Rule-based (Icon: R): Groups alerts following alert correlation rules defined by business logic on the emalert table during alert creation or update.
    • Automated: Forms groups by aggregating alerts sharing the same Configuration Item (CI) type and metric name, creating a virtual primary alert. Created via scheduled jobs.
    • CMDB (Icon: C): Groups alerts related by CI relationships in the CMDB, especially when not included in rule-based or automated groups. Created via scheduled jobs.
    • Network Traffic Based (Icon: N): Groups alerts based on network traffic connections between processes on hosts, leveraging ML Service Mapping to identify service candidates. Created via scheduled jobs.
    • Text (Icon: T): Groups alerts by analyzing frequently used words in fields such as Description, Metric Name, and CI Class. Created via scheduled jobs.
    • Tag Cluster (Icon: Tag): Groups alerts based on user-defined tag clustering definitions. Created via scheduled jobs.
    • Manual (Icon: M): Alerts grouped manually by users to organize related issues.

    Additional Resources

    For configuring scheduled jobs and parameters related to alert grouping, refer to Scheduled jobs and parameters for alert grouping. For guidance on setting alert correlation logic order, see Configure alert correlation logic order.

    Explore different alert grouping types, understand their descriptions, and learn about their creation methods to enhance problem identification and streamline alert management.

    Viewing and managing alert groups

    Navigate to Event Management > All Alerts to view all alert groups. The icon in the Group column denotes the alert group type, while alerts not associated with any group have no entry in the Group column. Double-click the Group column to open the Grouped Alerts dialog, where you can view all alerts in the group and manually add or remove alerts.
    Note:
    An alert can belong to only one alert group at a time.

    Types of alert grouping

    Table 1. Alert grouping types
    Type Icon Description Creation method Additional information
    Log Analytics L Log Analytics groups are formed when the system identifies multiple related Log Analytics alerts, grouping them based on their significant connections. Created as part of log analytics event processing. Kinds of Health Log Analytics alerts
    Rule-based R Rule-based groups consist of related alerts that are organized based on compliance with alert correlation rules, which determine how alerts are grouped according to their relationships. Created via business rule (Calculate correlation rule) on em_alert table when alert is created or updated.
    Automated A Automated groups are formed by alert aggregation and include a virtual alert as the primary alert of the group. An Aggregated automated group is created when two or more alerts share the same CI type and metric name. Created via scheduled job. Automated alert grouping
    CMDB C CMDB groups are formed based on CI relationships in the CMDB, specifically for CIs that are not included in rule-based or automated groups. Created via scheduled job. CMDB based alert grouping
    Network traffic based N Network traffic alert groups are formed by analyzing network traffic connections between processes across hosts. This method leverages service candidates identified through ML Service Mapping to group alerts related to network traffic issues. Created via scheduled job. Network traffic based alert grouping
    Text T Text groups are formed by grouping alerts based on similar text from frequently used words in following fields.
    • Description
    • Metric Name
    • CI Class
    		 Created via scheduled job. Text-based alert grouping
    Tag Cluster Tag Tag Cluster groups are formed by grouping alerts according to user-defined tag-based alert clustering definitions. Created via scheduled job. Tag cluster alert grouping
    Manual M Alerts grouped manually by users to organize related issues. Created manually by the user. Manual alert grouping

    For information on scheduled jobs and parameters, refer to Scheduled jobs and parameters for alert grouping. For detailed information on configuring alert correlation logic order, see Configure alert correlation logic order.